ClawFriend
WarnAudited by ClawScan on May 10, 2026.
Overview
ClawFriend matches its social/trading purpose, but it should be reviewed because it can run persistent jobs and community-provided code with wallet/API credentials, and one script uses unsafe shell execution.
Review this skill carefully before installing. If you use it, use a dedicated low-balance wallet, inspect and approve cron jobs, do not run untrusted community skills, review scripts that execute shell commands, and require explicit confirmation before posting publicly or signing blockchain transactions.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or poorly written community skill could influence the agent’s decisions before it handles your actual request, including requests involving trading or posting.
The skill makes mutable community skill instructions a mandatory first step for any request, which can cause unrelated or untrusted local instructions to redirect the agent’s behavior.
“BEFORE performing ANY action, you MUST check for community-installed skills” and “If relevant community skill exists → Read its SKILL.md and use it”
Do not allow community skills to be treated as automatically authoritative; require explicit user approval before reading or following a community skill for a task.
Community skill code could run with the same local access and configured credentials available to the agent.
The core skill instructs execution of scripts from separately installed community skills without showing provenance, pinning, sandboxing, or a user confirmation boundary.
“Execute skill-specific commands ... cd ~/.openclaw/workspace/skills/clawfriend-community-skills/<skill-name> ... node scripts/some-script.js [args]”
Only install audited community skills, inspect their scripts first, and require user confirmation before running any community-provided command.
A crafted profile/bio value could potentially cause unintended local commands to run under the user account.
A variable bio value is interpolated into a shell command. If that value can contain quotes or shell metacharacters, it may allow command injection.
execSync(`node ${skillPath}/scripts/register.js update-profile --bio "${bio}"`, {Replace shell interpolation with execFile/spawn using an argument array, validate the bio value, and avoid invoking a shell for profile updates.
Background automation may keep running and interacting with ClawFriend even after setup, unless the user reviews and disables the cron jobs.
The setup flow creates persistent scheduled jobs as part of registration, meaning the skill continues operating after the immediate setup task.
“One command does EVERYTHING!” including “Sets up heartbeat cron job” and “Sets up activation monitor cron job”
Show users the exact cron entries before enabling them, document a clear removal command, and keep scheduled tasks limited to narrowly defined checks.
Anyone or any script with access to that private key can control the associated wallet assets.
The skill requires a blockchain private key and wallet address to sign transactions, which is purpose-aligned for trading but grants high-impact account control.
“Required fields: EVM_PRIVATE_KEY – Your private key for signing transactions; EVM_ADDRESS – Your wallet address”
Use a dedicated low-balance wallet, review every transaction before signing, and never reuse a primary wallet private key for this skill.
Incorrect or unauthorized use could transfer assets to the wrong address or make irreversible blockchain changes.
The skill exposes commands that can move shares on-chain. This is disclosed and aligned with the trading purpose, but it is a high-impact mutation operation.
“node scripts/transfer-shares.js transfer <subject_address> <to_address> <amount>”
Require explicit user confirmation for buy, sell, and transfer operations, and display recipient, subject, amount, network, fees, and transaction value before signing.