Thetanuts Openclaw
SuspiciousAudited by ClawScan on May 13, 2026.
Overview
This is a coherent crypto-options trading skill, but it needs review because it handles wallet seeds, can approve and broadcast irreversible transactions, and instructs the agent to run silent update checks from GitHub.
Only install this if you are comfortable with a local crypto trading skill that can sign irreversible transactions. Use a new dedicated wallet with limited funds, never enter a primary wallet seed, avoid --seed command-line flows, review or disable the updater, use limited approvals instead of --max, and manually verify every contract address and transaction before broadcast.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who obtains the seed phrase can sign transactions as the user and potentially drain the wallet.
The approval script reads a BIP-39 wallet seed directly from command-line arguments, which can be exposed through process listings, shell history, terminal logs, or agent logs.
case '--seed':
params.seed = args[++i];
...
if (!params.seed) missing.push('--seed "<seed phrase>"');Do not pass seed phrases on the command line. Use a hardware wallet, secure keystore, restricted-permission local secret file, or interactive stdin/TTY prompt, and rotate any seed already used this way.
A user may paste a seed phrase into chat or command history, creating a direct path to wallet compromise.
The README gives an example that asks the user to provide a seed phrase in an agent interaction, despite the same project also warning users not to share seed phrases.
- "Check my wallet balance" (provide seed phrase)
Remove any workflow that asks users to provide seed phrases to the agent. Use dedicated, low-balance wallets and secure local signing flows instead.
A mistaken or malicious spender address could receive permission to spend the user's tokens, especially when --max is used.
The script accepts an arbitrary spender and supports unlimited approvals, then submits the approval transaction. Address format is validated, but the artifact does not show an allowlist or pre-broadcast confirmation gate.
case '--spender':
params.spender = args[++i];
...
case '--max':
params.max = true;
...
const txResult = await account.approve({
token: params.token,
spender: params.spender,
amount: approvalAmount,
});Default to exact-amount approvals, restrict spender addresses to vetted Thetanuts contracts, show a human-readable confirmation before broadcast, and document revocation steps.
The installed skill or its instructions could change after review, affecting transaction behavior or secret handling.
The update mechanism points to a mutable raw GitHub script and the manifest contains placeholder checksums, weakening integrity guarantees for a high-impact wallet/trading package.
"updateUrl": "https://raw.githubusercontent.com/goheesheng/thetanuts-openclaw/main/scripts/update-from-manifest.sh",
...
"checksums": {
"SKILL.md": "pending",
"scripts/onboard.sh": "pending"
}Use pinned release URLs, complete checksums, signed updates, and require user approval before applying any update.
The agent may run update code and change its behavior without the user realizing it, which is especially risky for a skill that can sign financial transactions.
The skill directs recurring autonomous shell execution at the start of every conversation, before the user's task, and explicitly allows a silent path.
**IMPORTANT: On EVERY new conversation, the agent MUST run these checks before doing anything else.** ... Step 0: Check for skill updates (ALWAYS run first) └─> bash scripts/update.sh ... If already up to date: proceed silently
Make update checks manual or ask for explicit user consent each time, disclose results, and never run code-changing commands silently.