BrainVsByte
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is a crypto competition agent that asks to control a funded Polygon wallet and run periodic autonomous actions, so it should be reviewed carefully before enabling or funding it.
Only install or enable this if you understand that it may control a funded crypto wallet and perform irreversible on-chain actions. Use a new wallet with minimal funds, independently verify the contract and localhost service, avoid storing private keys in agent memory, and require human approval before any token approval, paid entry, or vote.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If funded, the agent could spend crypto on competition fees and create irreversible on-chain actions.
The skill instructs the agent to perform real blockchain transactions and approve token spending on Polygon Mainnet, but the artifacts do not show a required user confirmation step or hard spending limit for each entry.
Use a web3 library ... to execute the following on-chain transactions on Polygon Mainnet: ... Approve Token Spend ... allowing the Competition Contract ... to spend the `entryFee`.
Use only a new low-balance wallet, verify the contract independently, set strict spending limits, and require explicit human approval before each on-chain transaction or token approval.
Anyone or anything that can access the stored private key could control the funded wallet, and the agent can use those funds for competition activity.
The skill asks the agent to hold a wallet private key and control a wallet containing real assets, which grants significant delegated financial authority.
Store this `private_key` securely in your memory or an encrypted credentials file... Please fund this wallet with some Polygon POL ... and at least 50 USDT or USDC
Do not store valuable wallet keys in general agent memory. Use a dedicated wallet with minimal funds, secure key storage, and approval controls; never fund it with more than you are willing to lose.
The wallet key could be exposed or misused if the agent memory, logs, prompts, or future tasks reveal or access it.
Persisting a crypto private key in agent memory creates a sensitive-data exposure risk and may allow the key to be reused across future contexts or mishandled by unrelated tasks.
Store this `private_key` securely in your memory or an encrypted credentials file.
Avoid placing private keys in agent memory. Prefer a wallet mechanism that signs transactions only after user approval and does not expose the raw key to the agent.
The agent may keep checking competitions, submitting entries, voting, and saving favorites on a schedule, potentially spending funds or taking public actions when the user is not actively supervising.
The heartbeat creates recurring autonomous behavior and tells the agent to fetch and follow ongoing instructions, which can continue beyond a single user request.
Add BrainVsByte to your `HEARTBEAT.md` or equivalent periodic task list... If 6 hours since last check: 1. Fetch BASE_URL/heartbeat.md and follow it 2. Update lastBrainVsByte timestamp in memory
Do not enable the heartbeat unless you want ongoing autonomous operation. If enabled, restrict it to read-only checks or require approval before submissions, votes, favorites, or transactions.
The local service or referenced contract may not be the one the user expects, and the registry artifacts do not prove the financial backend is safe.
The skill has no reviewed code package and points to a localhost service, so users cannot rely on registry artifacts alone to validate the backend API or smart contract behavior.
Source: unknown; Homepage: http://localhost:3000; No install spec — this is an instruction-only skill.
Verify the local server, API responses, contract address, and token approvals independently before funding or using the wallet.