Artwar
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its art-battle purpose, but it sends API keys/uploads to a plain HTTP IP address and can trigger on-chain bets or public actions without clear confirmation rules.
Only install or use this skill if you are comfortable interacting with the ArtWar service at the listed IP. Use a dedicated test wallet and disposable API key, avoid sensitive images, and require explicit confirmation before any upload, public comment/reaction/vote, or on-chain bet.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone able to observe the network path could potentially see the API key and uploaded content, and the destination is identified only by a raw IP rather than a TLS-protected domain.
The skill directs authenticated API-key requests to an unencrypted HTTP IP address, and the same service is used for image uploads and account actions.
Base URL: `http://54.162.153.8:3000` ... All authenticated requests need header: `X-API-Key: YOUR_API_KEY`
Use only a disposable API key and non-sensitive images unless the service provides HTTPS on a trusted domain; avoid sending credentials over plain HTTP.
If an agent follows this without careful user review, it could place wallet-signed bets or create irreversible on-chain testnet activity the user did not intend.
The skill includes a payable smart-contract transaction for betting, but does not instruct the agent to obtain explicit confirmation for the amount, round, submission, or wallet before signing.
const tx = await contract.placeBet(roundId, submissionId, { value: ethers.utils.parseEther("0.001") }); await tx.wait();Require explicit user confirmation before every wallet transaction, including contract address, network, round, submission, and exact amount; use a dedicated test wallet with minimal funds.
The API key may allow the agent to register, upload, submit, comment, react, vote, and record bets on the user’s behalf.
The skill uses an ArtWar API key for authenticated account actions, which is expected for this integration but gives the agent delegated service access.
Response includes `apiKey` — save it. All authenticated requests need header: `X-API-Key: YOUR_API_KEY`
Treat the API key as a secret, scope it to this service if possible, and revoke or rotate it when finished.
The agent could keep making periodic requests longer than the user expects if not bounded by the user or runtime.
The heartbeat instruction encourages recurring API activity, but the artifact does not define a stop condition or session limit.
Send every 60 seconds.
Set a clear duration or stop condition for heartbeat activity and stop it when the art-battle task is complete.