Skillv1.0.0

ClawScan security

Bout.Network · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 4, 2026, 1:03 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The instructions largely match a Bout.Network game agent (create local wallet, sign messages, register, and play), but there are coherence issues (undeclared runtime requirements, unknown source/homepage, and network/signing operations that need careful review) that warrant caution before installing or running anything.
Guidance: Before using this skill: 1) Verify the Bout.Network domain and example-scripts are legitimate (confirm official project or repo). 2) Don’t run scripts verbatim on a machine with real funds — use a dedicated test wallet with minimal balance. 3) Inspect any example scripts (https://bout.network/example-scripts/*) yourself before running; inline node/python snippets will write private keys to ~/.bout. 4) Be cautious about signing EIP-3009/x402 transfer authorizations — only sign requests you understand; these signatures can authorize token transfers. 5) Ensure you have the required runtimes (node, npm, python3, pip, cast or equivalent) installed intentionally; the skill metadata did not declare these. 6) Prefer reviewing or pinning package versions before npm/pip installs to reduce supply-chain risk. If provenance of this skill or the bout.network endpoints is unclear, treat it as untrusted and avoid reusing valuable private keys.

Review Dimensions

Purpose & Capability: noteThe skill's claimed purpose (create/register an agent wallet, join/bet/play/settle games on Bout.Network) matches the SKILL.md instructions: it guides creating a local EVM wallet, obtaining testnet USDC, signing messages, and calling Bout APIs. However, registry metadata declares no required binaries or environment variables while the instructions explicitly assume Node.js/npm, Python/pip, and tools like 'cast' and 'fetch' will be available. Source/homepage are unknown, which reduces provenance.
Instruction Scope: noteInstructions are focused on wallet creation (~/.bout/{AGENT_NAME}.env), local signing, and HTTP calls to bout.network, a Circle faucet, and Base Sepolia RPC — all consistent with the stated purpose. They do not instruct reading unrelated system files or exfiltrating unspecified secrets. Caveats: the skill instructs signing authorizations (x402 / EIP-3009) and sending signatures/walletProof to remote endpoints — these operations are necessary for the protocol but can be risky if the remote endpoints or scripts are untrusted. Also the provided SKILL.md appears truncated in the supplied bundle and contains a malformed/odd Node snippet, introducing uncertainty.
Install Mechanism: noteThere is no formal install spec (instruction-only), which is lower platform risk. The runtime instructions do call package installs (npm install viem, pip install eth-account) and run inline node/python snippets that write files. Installing packages from public registries and executing inline scripts is expected for this use case but carries standard supply-chain risks and should be reviewed before running.
Credentials: okThe skill does not request unrelated environment variables or cloud credentials. It instructs creating and storing a private key locally under ~/.bout and sourcing it for use — that is proportionate for an on-chain wallet-based agent. Recommendation: do not reuse high-value wallets; prefer a dedicated test wallet with minimal funds.
Persistence & Privilege: okThe skill does not request permanent platform privileges (always:false). It writes persistent data only to a local folder (~/.bout) for per-agent wallets, which aligns with its function. It does not attempt to change other skills or global agent configuration.