gigaverse
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Gigaverse game skill, but it handles crypto private keys and can send paid blockchain transactions with some unsafe credential and runtime practices.
Install only if you are comfortable giving this skill access to a dedicated crypto wallet. Do not import a main wallet or one with significant funds. Prefer interactive mode, review every mint or purchase before signing, avoid unpinned npx execution for wallet operations, and confirm the source and dependencies before running the scripts.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Importing a real or funded wallet could expose assets if the key is captured locally or by another process.
The script accepts an imported wallet private key as a command-line argument and stores it locally. Command-line arguments can be exposed through shell history or process listings, and this key controls wallet funds.
Usage: ./setup-wallet.sh generate | ./setup-wallet.sh import "0x..." ... PRIVATE_KEY="$2" ... echo "$PRIVATE_KEY" > "$KEY_FILE"
Use only a dedicated low-balance game wallet, avoid importing a main wallet, and replace command-line/private-key prompts with a non-echoing secure input flow.
An agent or user who invokes the script may spend ETH on a subscription unintentionally.
Running the purchase script without an argument defaults to a paid GigaJuice purchase and immediately sends an on-chain transaction, without an in-script confirmation step.
const listingId = parseInt(process.argv[2] || '2', 10); ... client.sendTransaction({ to: GIGAJUICE_CONTRACT, data, value: parseEther(price), });Require explicit user confirmation for every ETH-spending transaction, remove paid defaults, and add configurable spending limits.
Unpinned runtime tooling increases the risk that unreviewed or unexpected code participates in wallet operations.
The paid transaction script is designed to run through unversioned npx ts-node, which can depend on the local environment or fetch tooling at runtime while handling a private key and transaction signing.
#!/usr/bin/env npx ts-node
Pin all runtime tooling in package.json/lockfiles, avoid npx auto-fetch behavior for wallet operations, and document required binaries and credentials in metadata.
If enabled, the agent may continue monitoring and making some game-account decisions over time.
The skill documents periodic background checks and autonomous account actions. This is aligned with a game companion, but it is ongoing agent activity rather than a one-shot command.
Gigaverse Check (every 30 minutes) ... If autonomous: level up according to strategy
Use interactive mode unless you want background automation, and keep heartbeat tasks limited to clearly approved actions.
Users who declined purchase suggestions may still receive promotional nudges.
The configuration says the user can decline juice suggestions, but still allows sale/limited-time prompts, which weakens the opt-out for a paid feature.
Even if `juice_declined: true`, agent will still mention active sales or limited-time offerings.
Honor the opt-out fully, especially for paid purchases, or clearly separate informational status from promotional suggestions.