Hodl Dance Skill
WarnAudited by ClawScan on May 16, 2026.
Overview
The skill appears to do what it claims, but it gives an agent live BSC trading and token-approval authority with a private key and limited built-in safeguards.
Install only if you are comfortable giving this skill authority to sign BSC transactions. Use a separate low-balance wallet, pin and verify the npm package, quote trades first, manually approve every buy/sell/create action, verify bonding curve addresses from the official HODL.DANCE UI/API, and revoke ERC20 allowances after selling if needed.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent selects the wrong address or amount, BNB can be irreversibly spent on-chain.
The command sends a payable on-chain transaction using a caller-supplied contract address and BNB amount. The code does not enforce a confirmation prompt, spend limit, min-output/slippage check, or validation that the address is a HODL.DANCE bonding curve.
const curveAddress = args[0];
const bnbAmount = args[1];
...
const curve = getCurve(curveAddress, wallet);
...
tx = await curve.buyTokens({ value, gasLimit: 300_000 });Use a dedicated low-balance wallet, require explicit user approval for every buy, set external spend limits, and validate bonding curve addresses against trusted HODL.DANCE data before trading.
A mistaken or malicious bonding curve address could receive token-spending approval, and any failed sell after approval may leave an allowance behind.
Selling automatically approves the provided bonding curve address to spend the specified token amount and then sells. The approval is exact and disclosed, but it is still high-impact authority and the code does not verify that the supplied curve address is legitimate before granting allowance.
if (allowance < amountWei) {
const approveTx = await tokenContract.approve(curveAddress, amountWei, { gasLimit: 100_000 });
const approveReceipt = await approveTx.wait();
approveTxHash = approveReceipt.hash;
}
const tx = await curve.sellTokens(amountWei, { gasLimit: 300_000 });Confirm the curve and token addresses before selling, consider revoking allowances after use, and add contract allowlisting or factory/API validation before approve/sell.
Anyone or any process that can read this environment variable can control the wallet funds.
The skill uses a raw private key from an environment variable to sign transactions locally. That is purpose-aligned for trading, and the code shown does not transmit the key, but it is highly sensitive and is not declared in the registry env-var metadata.
const pk = process.env.HODL_PRIVATE_KEY;
if (!pk) throw new Error('HODL_PRIVATE_KEY env variable not set');
return new ethers.Wallet(pk, getProvider());Use a dedicated trading wallet with limited funds, avoid storing a main wallet private key in the environment, and clear the variable when not using the skill.
The chosen logo file and token metadata become visible to the provider and may be published through IPFS/platform workflows.
Token creation uploads the selected local logo file, wallet address, and token metadata to the HODL.DANCE API. This is disclosed and purpose-aligned, but users should understand the data leaves the local machine.
form.append('creator', wallet.address);
form.append('logo', fs.createReadStream(resolvedLogo), {
filename: path.basename(resolvedLogo),
});
const uploadRes = await fetch(`${API_BASE}/token/create`, {
method: 'POST',
body: form,Only provide non-sensitive image files and public metadata; do not pass arbitrary private files as the logo path.
A future or different npm package version could execute code that was not part of this review.
The documented setup runs an npm package without pinning an exact version in the command. This is common for CLI tools, but it matters more here because the package handles wallet private keys and signs financial transactions.
npm install -g @hodl-dance/skill # or without installing: npx @hodl-dance/skill <command>
Pin the package version, verify the package source/checksum, and avoid exposing HODL_PRIVATE_KEY to unreviewed package versions.