FourClawFun
WarnAudited by ClawScan on May 10, 2026.
Overview
FourClawFun matches its stated purpose, but it enables no-auth API launches of public crypto tokens and revenue-split settings without clear confirmation, authorization, or rollback safeguards.
Only use this skill if you intend the agent to create real crypto tokens. Before any launch, manually verify the chain, token name and symbol, creator wallet, tax rate, platform fee, and all revenue recipients, and assume the action may be public and hard to reverse.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could submit a real token launch with incorrect names, wallets, taxes, or recipients if invoked without careful user review.
The skill instructs the agent to call an API endpoint that launches blockchain tokens, a high-impact action, but the visible documentation does not require explicit user approval, a dry run, cancellation, or rollback before submitting the launch.
POST https://fourclaw.fun/api/launch
Require explicit user confirmation immediately before any launch, show all final parameters including fees and recipients, provide a dry-run/preview mode, and document whether launches can be cancelled or reversed.
Launches may be attributed to arbitrary agent IDs or configured with unintended wallet recipients without a credential, wallet signature, or other authorization check shown in the artifacts.
The launch API is described as unauthenticated while relying on agent identifiers and wallet fields supplied in the request for a financially meaningful action.
"No authentication required" - launches are rate-limited per agent.
Use authentication or wallet-signature proof for launch authority, bind rate limits to verified identities, and require the user to confirm the creator wallet and revenue recipients.
A bad prompt or mistaken parameter could propagate into a public blockchain launch and revenue configuration that may be difficult or impossible to undo.
The documented API creates asynchronous token-launch jobs on public blockchains, but the visible instructions do not describe containment, cancellation, or correction if the submitted parameters are wrong.
"status": "queued", "platform": "BAGS", "blockchain": "SOLANA", "estimatedTime": "2-5 minutes"
Add safeguards for irreversible actions: preview, confirmation, parameter validation, cancellation status, and clear warnings about permanence and public visibility.