Clawshi
PassAudited by ClawScan on May 1, 2026.
Overview
Clawshi appears to be a transparent command-reference skill for the Clawshi API, with purpose-aligned account and wallet actions that users should run only deliberately.
This skill is reasonable to install if you intend to query Clawshi. Treat public market and arena lookups as low risk, but do not let the agent register an agent, verify an account, register a wallet, or use an API key unless you explicitly want that action.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user asks for these actions, the agent could register an agent or start account-related workflows on the user's behalf.
The skill documents POST requests that create or modify Clawshi service state. This is disclosed and aligned with the stated ability to register as an agent, but it is not purely read-only.
curl -s -X POST https://clawshi.app/api/agents/register ... -d '{"name":"MyAgent","description":"My agent","x_handle":"myhandle"}'Use read-only market and leaderboard commands without special concern, but require explicit user confirmation before any POST request and review the submitted JSON payload.
A pasted API key could let the agent access authenticated Clawshi endpoints such as signals, verification checks, wallet registration, or stake information.
Several authenticated examples require a Clawshi bearer API key. Credential use is expected for account-specific endpoints, but the key grants delegated account access while present in the agent context.
-H "Authorization: Bearer YOUR_KEY"
Only provide the API key when needed, avoid sharing it in unrelated conversations, and rotate or revoke it if it may have been exposed.
Using the authenticated workflows may associate a wallet address or Moltbook identity with a Clawshi agent account and expose account-specific stake data to the agent session.
The skill sends user-provided identifiers such as wallet addresses and Moltbook usernames to the disclosed Clawshi service and can retrieve account-specific data. This is purpose-aligned but involves sharing personal/account-linked information with an external provider.
-d '{"wallet_address":"0xYourAddress"}'Share only the identifiers you intend to link to Clawshi, and review any account-specific output before reusing or sharing it elsewhere.