Aavegotchi Gotchiverse
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears purpose-aligned, but it can sign real Base blockchain transactions with a wallet private key, so users should keep dry-run mode and approve broadcasts carefully.
Install only if you intend to let the agent help with real Gotchiverse on-chain actions. Use a dedicated wallet, verify official contract addresses and Base chain ID, keep DRY_RUN behavior until you are ready, and approve each broadcast transaction deliberately.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent process with this key could sign transactions from that wallet, potentially affecting assets beyond the intended Gotchiverse task.
The skill requires a wallet private key so it can sign Base mainnet transactions for the user's account.
primaryEnv: PRIVATE_KEY
Use a dedicated low-balance wallet/key, keep the key out of logs and chat, verify FROM_ADDRESS matches the key, and only allow broadcasts you have reviewed.
A mistaken broadcast could spend tokens, burn GLTR, craft or upgrade items, claim resources, or change parcel/access state on-chain.
The skill uses raw Foundry cast commands for state-changing blockchain operations, but it explicitly says broadcasts require user instruction.
Broadcast with `cast send --private-key "$PRIVATE_KEY"` only when explicitly instructed.
Run simulations first, compare arguments and contract addresses, and require a clear final confirmation before any cast send command.
Wallet addresses, parcel IDs, and query timing may be visible to the subgraph provider, although this is expected for the workflow and uses public blockchain data.
The skill queries external Goldsky subgraph endpoints and may include an Authorization bearer token when a Goldsky API key is set.
GOTCHIVERSE_SUBGRAPH_URL=https://api.goldsky.com/api/public/... CORE_SUBGRAPH_URL=https://api.goldsky.com/api/public/...
Use trusted RPC/subgraph endpoints, avoid sending unnecessary API keys, and be aware that queried wallet/parcel identifiers may be observable by the provider.
Users have less provenance context for the supplied contract addresses and operational runbooks.
The artifacts do not provide an upstream project source or homepage for independently validating the skill package.
Source: unknown Homepage: none
Verify contract addresses, subgraph URLs, and function behavior against official Aavegotchi/Gotchiverse documentation before signing transactions.