tytyt
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill matches its Teneo wallet-and-agent purpose, but it involves raw Ethereum private-key use, paid requests, and inconsistent provenance metadata that should be reviewed before installation.
Install only if you trust the Teneo SDK and publisher. Use a dedicated low-balance wallet, set spending limits, manually approve paid requests and room invitations, and avoid sharing sensitive data with external agents.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a main wallet key is provided, the SDK or any code using it may be able to authenticate as that wallet and potentially authorize payments.
The skill instructs use of a raw Ethereum private key. That is high-impact wallet authority, especially because the registry metadata declares no primary credential or required environment variable.
privateKey: "0x...", // Ethereum private key
Use only a dedicated low-balance wallet for this skill, avoid pasting a main wallet private key, and prefer safer wallet-signing flows if available.
Repeated agent interactions could incur charges, even if each request is small.
The skill documents paid per-request interactions but does not show clear spend caps, approval gates, or a safe default that prevents repeated or autonomous paid calls.
Some require x402 payments for each interaction ... Payment amounts are typically $0.01 - $0.10 per request.
Require explicit user approval before paid requests, set a spending limit, and monitor wallet balances and transaction history.
The mismatch makes the skill’s provenance less clear, which matters for a wallet/payment integration.
The embedded metadata identifies a different owner/slug than the registry metadata for this review, which lists owner kn71qt4dwd8y90hp53een87ddd8114em and slug tyt.
"ownerId": "kn72jkn9ez848shmp342k5rem180gvp0", "slug": "teneo-agent-sdk"
Verify the publisher, package identity, and registry metadata before trusting this skill with wallet credentials.
Installing the wrong or compromised package version could affect wallet and payment handling.
The skill relies on an external npm SDK without pinning a version. This is purpose-aligned, but users should verify the package before installing.
npm install @teneo-protocol/sdk # or pnpm add @teneo-protocol/sdk
Install from a trusted registry, pin a known-good version, and review the SDK source or official documentation.
Messages, room context, or prompts may be shared with external agents or the Teneo platform.
The skill sends messages and room interactions to Teneo’s external service and AI agents. This is central to the purpose but crosses a data boundary.
WebSocket-based real-time communication with AI agents
Do not send secrets or sensitive private data unless you trust the platform and understand its data handling.