v1.0.0

gigaverse

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:53 AM.

Analysis

This is a coherent crypto-game skill, but it deserves careful review because it stores wallet credentials and can perform autonomous game actions and paid blockchain transactions.

GuidanceInstall only if you are comfortable running a crypto-game agent with wallet authority. Use a dedicated low-balance wallet, avoid importing any primary wallet, keep autonomous mode and heartbeat disabled until you understand the behavior, and manually approve every mint or GigaJuice purchase.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/purchase-juice.ts

const privateKey = process.env.NOOB_PRIVATE_KEY; ... const listingId = parseInt(process.argv[2] || '2', 10); ... await client.sendTransaction({ to: GIGAJUICE_CONTRACT, data, value: parseEther(price) });

The purchase helper uses a private key and sends an on-chain payment transaction, defaulting to listing 2 if no listing is provided, without an interactive confirmation step in the script.

User impactAn agent or user invoking this script can spend ETH on an irreversible blockchain purchase.

RecommendationDo not allow autonomous execution of purchase or mint scripts; require explicit human approval for every paid transaction and verify the contract address, listing, and amount first.

Rogue Agents

SeverityLowConfidenceHighStatusNote

HEARTBEAT.md

Gigaverse Check (every 30 minutes) ... If autonomous: level up according to strategy ... Update lastGigaverseCheck timestamp

The skill documents optional periodic background checks and autonomous level-up behavior. This is disclosed and game-related, but it creates ongoing agent activity if the user adds it to a heartbeat.

User impactThe agent may keep checking status and may mutate game progress periodically if configured for autonomous operation.

RecommendationOnly add the heartbeat if you want ongoing activity; prefer interactive mode or disable auto-leveling/restarts until you trust the setup.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

metadata

Source: unknown ... No install spec — this is an instruction-only skill ... Code file presence: 7 code file(s)

The registry provenance/install declaration is sparse even though executable helper scripts and package files are included. This is not evidence of malicious behavior, but it means users should inspect the scripts and dependencies before running them.

User impactUsers may not realize the skill includes executable setup, authentication, minting, and purchase helpers despite the no-install-spec declaration.

RecommendationReview the included scripts and package-lock before running commands, and install dependencies only from trusted package sources.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

scripts/setup-wallet.sh

KEY_FILE="${SECRETS_DIR}/gigaverse-private-key.txt" ... echo "$PRIVATE_KEY" > "$KEY_FILE" ... chmod 600 "$KEY_FILE"

The setup flow persists a raw blockchain private key locally. That key can authorize wallet actions and control funds/assets, so this is high-impact credential handling even though it is disclosed.

User impactIf a valuable or primary wallet is imported, the agent environment and these scripts gain access to a key that can authorize irreversible wallet actions.

RecommendationUse only a fresh, low-balance bot wallet; do not import a primary wallet; protect and back up ~/.secrets/gigaverse-private-key.txt; remove the key when no longer needed.