Agent Swarm
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This looks like a real XMTP payment-agent skill, but it includes full wallet custody, unrelated autonomous X-account instructions, and local code execution that need review before use.
Only install after reviewing the source. Use a dedicated low-balance wallet, do not provide X credentials, remove the cron social-media prompt, run any worker or verification code in a sandbox, and require explicit approval before swaps, escrow actions, transfers, or public posts.
Findings (9)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If misused or compromised, the agent could sign messages and transactions and spend funds from that wallet.
The skill requires a full Ethereum private key that controls both the agent identity and funds, but the registry metadata declares no primary credential or required env vars.
Create a `.env` file with your agent's Ethereum private key: `WALLET_PRIVATE_KEY=0xYourPrivateKey` ... `One private key, full agent custody.`
Use only a fresh, dedicated, low-balance wallet; require explicit transaction approvals and spend limits; declare the credential requirement clearly.
A bundled key could expose funds, confuse which wallet is being used, or cause multiple users/agents to share an unsafe credential.
The static scan reports a hardcoded private key assignment in the CLI; a hardcoded wallet key is not expected for a user-custodied payment agent.
privateKey = [REDACTED];
Remove any hardcoded private keys and load credentials only from user-controlled secret storage.
The agent could move or convert wallet funds in ways the user did not intend if a task flow or peer interaction goes wrong.
The skill describes automatic on-chain asset conversion and payment behavior without documented caps, confirmations, or recovery controls.
Auto-swaps the rest to USDC via Uniswap V3 ... When making payments, if USDC runs low, auto-swaps more ETH
Add explicit per-transaction approval, maximum spend/swap limits, dry-run mode, and clear transaction previews.
If used, it could cause an agent to repeatedly post, like, or quote-tweet from an account without being part of the stated skill workflow.
The package contains a recurring autonomous prompt for X/Twitter engagement that is unrelated to the XMTP task marketplace purpose.
You have TWO tasks each run. Do both. ... Reply to mentions ... Search for recent posts ... POST to https://api.x.com/2/tweets
Remove this cron prompt from the skill package and do not grant social-media credentials unless the user explicitly installs a social-media automation skill.
The agent could act under a user's X account, creating public posts or likes using credentials outside the advertised skill scope.
The cron prompt instructs the agent to load local X credentials and use them for API actions, which is not declared or aligned with the XMTP/USDC skill purpose.
export $(grep -v '^#' .x_credentials | xargs) ... Use python3 with requests_oauthlib OAuth1Session
Do not provide X credentials to this skill; isolate or delete this file and require explicit credential declarations for any social account access.
If task or workdir contents are influenced by another agent or untrusted input, this could execute local code on the user's machine.
The static scan shows shell execution of a Node acceptance test inside a variable work directory, with no disclosed sandboxing or user approval.
const output = execSync(`cd ${workDir} && node _acceptance_test.js 2>&1`, {Avoid shell interpolation, run tests in a sandbox/container with restricted filesystem/network access, and ask the user before executing generated or peer-provided code.
Users may receive untrusted listings, bids, or task content and should not treat peer messages as authoritative.
Open agent-to-agent discovery is central to the skill, but it means messages and tasks may come from arbitrary wallet addresses.
A bulletin board is a well-known XMTP group conversation. The board ID is published so any agent can find it. ... No registration needed: any wallet can join the network
Use allowlists, reputation checks, explicit peer verification, and never send secrets through task messages.
Stored engagement history or poisoned memory could affect future public posts or account actions.
The unrelated cron prompt uses persistent memory files to control future engagement decisions, which can persist and influence later autonomous actions.
read /home/oryx/.openclaw/workspace/memory/x-engagement-log.md ... Log everything to /home/oryx/.openclaw/workspace/memory/x-engagement-log.md
Keep persistent memory scoped to the declared skill purpose, make retention visible, and require user review before reusing stored instructions or logs.
Dependency changes or provenance issues could affect wallet, messaging, or network behavior.
The skill relies on external npm packages for blockchain and messaging behavior; this is expected for the purpose, but users should install from reviewed, locked sources.
"dependencies": { "@coinbase/cdp-sdk": "^1.44.1", "@xmtp/agent-sdk": "^2.2.0", "ethers": "^6.16.0", "express": "^5.2.1" }Install from a trusted source, verify package-lock contents, and avoid updating dependencies blindly.