doginals
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is broadly aligned with Dogecoin minting, but it handles wallet private keys and irreversible transactions, uses a privileged remote install script, and includes automation that can run shell commands or rebroadcast transactions without fresh confirmation.
Only install this on a dedicated machine or sandbox after reviewing the scripts. Use a fresh, low-balance Dogecoin wallet made only for inscriptions, verify every address and bulk count, remove or inspect pending-txs.json before running commands, and avoid letting an agent invoke mint/send/split actions without explicit confirmation.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill can make privileged system changes and trust remote code outside the reviewed package.
The install script runs a remote setup script with root privileges and installs downloaded binaries system-wide, while the registry presents the skill as having no install spec.
curl -fsSL https://deb.nodesource.com/setup_14.x | sudo -E bash - ... sudo cp dogecoin-1.14.6/bin/* /usr/local/bin/
Do not run install.sh blindly; inspect it first, verify Dogecoin Core downloads and checksums, and prefer a sandboxed or dedicated machine.
A crafted address, directory, or filename could cause commands other than minting to run on the user's computer.
The script builds a shell command from interactive inputs and file paths, then executes it with shell=True, which can allow command injection if those values contain shell metacharacters.
mint_command = f"node . mint {doge_address} {image_path}"
result_mint = subprocess.run(mint_command, shell=True, capture_output=True, text=True)Run this only with trusted paths and values; the maintainer should replace shell=True string execution with an argument list such as subprocess.run(['node', '.', 'mint', doge_address, image_path]).
If the agent or script runs the wrong command, it can spend wallet funds, mint tokens, split UTXOs, or send funds on-chain.
The code reads a local wallet file and uses its private key to sign Dogecoin transactions, which is high-impact financial authority.
const WALLET_PATH = process.env.WALLET || '.wallet.json' ... let wallet = JSON.parse(fs.readFileSync(WALLET_PATH)) ... tx.sign(wallet.privkey)
Use only a dedicated low-value inscription wallet, keep private keys backed up and protected, and require explicit user approval before any mint/send/split command.
A later harmless-looking command could broadcast old or unexpected blockchain transactions without a fresh confirmation step.
Before processing the requested command, the program automatically rebroadcasts serialized pending transactions if a local pending-txs.json file exists.
if (fs.existsSync('pending-txs.json')) { ... await broadcastAll(txs.map(tx => new Transaction(tx)), false) ... return }Check for and review pending-txs.json before running the tool, and the maintainer should require explicit confirmation before rebroadcasting.
A wrong count, address, or token name can create many unwanted transactions and fees.
The bulk mint script intentionally repeats on-chain mint operations in a loop, which is aligned with the skill purpose but can multiply fees and irreversible actions.
while [ $count -lt $max_count ]; do ... node . drc-20 mint "$target_address" "$token_name" 1000 12 ... sleep 200 ... done
Test with a very small count and balance first, and verify all destination addresses and token parameters before bulk minting.