Dogecoin Node
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: dogecoin-node Version: 1.0.5 The skill provides comprehensive automation for Dogecoin node management and wallet operations, which are inherently high-risk activities. It is classified as suspicious due to potential shell injection vulnerabilities in the `package.json` command definitions (e.g., `/dogecoin-node send` and `/dogecoin-node balance`), where user-provided parameters are passed directly into bash scripts without visible sanitization. While the included scripts (`doge_health_check.sh` and `dogecoin_tipping.py`) appear functional and aligned with the stated purpose, the combination of broad filesystem permissions and the ability to execute financial transactions via the Dogecoin CLI creates a significant attack surface for prompt injection or unauthorized fund transfers.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken, unauthorized, or unsafe invocation could move real DOGE; if parameters are not safely escaped by the platform, malicious input could also affect the local shell command.
The send command is executed through a shell handler with user-controlled recipient and amount parameters, and it can broadcast a real Dogecoin transaction. The artifacts do not show validation, shell escaping, confirmation, or spend limits.
"trigger": "/dogecoin-node send", ... "handler": "bash", "script": "$HOME/dogecoin-cli -datadir=$HOME/.dogecoin sendtoaddress {{recipient}} {{amount}}"Use strict Dogecoin address and amount validation, avoid shell interpolation where possible, require explicit user confirmation for every send, add maximum spend limits, and prefer testnet or watch-only defaults.
The skill can act with the privileges of the user's local Dogecoin wallet and may spend funds from whichever wallet is available to Dogecoin Core.
The skill requests access to the local Dogecoin data directory and localhost RPC path and includes a command that spends from the loaded wallet, which is broader than read-only node monitoring.
"filesystem": ["~/.dogecoin", ...], "network": ["github.com", "api.coingecko.com", "127.0.0.1"], ... "sendtoaddress {{recipient}} {{amount}}"Use a dedicated low-balance wallet, keep wallets encrypted and locked by default, restrict RPC to localhost, avoid loading valuable wallets into this node, and require separate approval before any spend.
If the downloaded binary or download path were compromised, the user could install untrusted node software.
Downloading Dogecoin Core is expected for this skill, but the instructions do not show checksum or signature verification before extracting and using the binaries.
curl -L -o dogecoin-1.14.9-x86_64-linux-gnu.tar.gz ... github.com/dogecoin/dogecoin/releases/download/v1.14.9/dogecoin-1.14.9-x86_64-linux-gnu.tar.gz
Download only from the official Dogecoin release page and verify checksums or release signatures before extracting or running binaries.
The node and health checks may continue consuming disk, CPU, and network resources, and may restart the node without a fresh prompt.
The skill recommends persistent scheduled execution of a health script. This is coherent for node monitoring, but it means the skill-related automation can keep running after setup.
Dashboard Integration: Navigate to the Cron Jobs tab and add a new entry pointing to the health script. Recommended Interval: `*/30 * * * *`
Only enable the cron job if you want continuous monitoring, review the health script first, monitor disk usage, and remove the cron entry when no longer needed.