ClawHub
Back to skill
v1.0.2

ClawSea NFT Marketplace

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:31 AM.

Analysis

The skill is coherent for an NFT marketplace, but it can guide an agent to use a wallet/private key and perform irreversible NFT trading actions, so it needs careful review before enabling trading.

GuidanceUse this skill as read-only unless you specifically need NFT trading. Before enabling trading, verify the source, prefer an external wallet signer, avoid storing a raw private key if possible, use a low-balance bot wallet, limit token approvals, and require manual review of every transaction.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
Execution workflow (recommended) ... Preflight onchain with `eth_call` for Seaport fulfill. Execute onchain tx from bot wallet. Update offchain state via `/api/orders/fulfill` or `/api/orders/cancel`.

This explicitly instructs the agent to perform onchain transactions and marketplace state updates, which can move assets or affect NFT orders.

User impactIf trading is enabled, a mistaken or insufficiently reviewed approval could cause the agent to buy, list, fulfill, or cancel NFT orders with real wallet consequences.
RecommendationKeep the skill read-only unless trading is intentionally needed; require human review of decoded transaction details, price, chain, collection, token ID, recipient, and gas before every transaction.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
metadata
Source: unknown; Homepage: none

The artifact does not provide an authoritative source or homepage for verifying that the marketplace instructions and endpoints are official.

User impactUsers have less provenance information when deciding whether to trust this skill with wallet-related trading workflows.
RecommendationVerify the skill owner and ClawSea endpoint documentation through a trusted source before enabling wallet signing or autonomous trading.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
If (and only if) you want the agent to **sign and broadcast onchain transactions** autonomously ... **If unavoidable:** `BOT_WALLET_PRIVATE_KEY` in a secure secret store only

A raw wallet private key gives the agent signing authority over a wallet; the registry metadata does not declare a primary credential or env vars for this optional but sensitive mode.

User impactConfiguring the private key could let the agent control the bot wallet for marketplace transactions, including spending funds or affecting NFTs held or approved by that wallet.
RecommendationPrefer an external signer or wallet provider with explicit per-transaction approval; if a bot wallet is used, keep minimal funds in it, limit approvals, and treat the private key as a high-value secret.