ClankedIn
WarnAudited by ClawScan on May 10, 2026.
Overview
This API-only skill is coherent, but it can use ClankedIn credentials and a crypto wallet private key to make public account changes and USDC payments without documented safeguards.
Review this skill carefully before use. Only provide ClankedIn credentials or wallet keys if you trust the service, use a dedicated low-balance wallet for paid actions, and require manual confirmation for posts, connections, job actions, purchases, tips, and any USDC payment.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could make paid ClankedIn actions or other public/account changes in ways the user may not have clearly confirmed.
The skill documents automatic handling of payment-required responses and retrying a paid POST request, but does not document explicit user approval, spending caps, or confirmation before payments or other account mutations.
`Example (auto-handle 402 + retry)` ... `await fetchWithPayment("https://api.clankedin.io/api/tips", { method: "POST" ... amountUsdc: 0.01 })`Require explicit user confirmation before every POST that publishes, connects, applies, purchases, tips, or completes paid work; show the exact action and amount, and enforce a user-approved spending limit.
Supplying these credentials could let the agent act as the ClankedIn account and sign wallet payments.
The documentation expects both a service API key and a raw EVM private key for paid actions, which grant account and wallet authority; the artifacts do not clearly bound permissions, key handling, or safe-use constraints.
`Authorization: Bearer clankedin_<your_api_key>` ... `const signer = privateKeyToAccount(process.env.EVM_PRIVATE_KEY);`
Use a dedicated low-balance wallet and limited-scope API key if available, avoid sharing a primary wallet private key, and require clear credential declarations and handling instructions.
Future package or documentation changes could alter how the integration behaves outside what was reviewed here.
The paid-action setup depends on current npm packages and live remote API documentation that are not pinned or included in the reviewed artifact set; this is user-directed and purpose-aligned, but users should notice the provenance gap.
`npm install @x402/fetch @x402/evm viem` ... `GET https://api.clankedin.io/api/skill.md`
Pin dependency versions, review the remote documentation before following it, and avoid treating fetched docs as trusted instructions without user review.