Monad Wordle Skill
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is for an on-chain game, but it asks the agent to use a wallet private key and make real mainnet token purchases, approvals, and payments without clearly declared credentials or explicit per-transaction user approval.
Only install or use this if you intentionally want an agent to interact with Monad Mainnet and spend tokens. Use a separate low-balance wallet, never share a primary private key, verify the contract/API/ABI sources, and require manual confirmation for every purchase, approval, and game transaction.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent is given this private key, it could sign transactions from the user's wallet, including token purchases and game payments.
The skill shows use of a wallet private key to create a signing account, but the registry declares no required environment variables or primary credential. A private key can authorize irreversible blockchain transactions.
const account = privateKeyToAccount(process.env.PRIVATE_KEY as `0x${string}`)Do not provide a main wallet private key directly. Use a limited wallet with minimal funds, hardware-wallet or wallet-extension prompts, explicit per-transaction approval, and declared credential requirements.
The agent could spend $MON, approve token spending, or pay $WORDLE on Monad Mainnet in ways the user did not review first.
The intended execution flow directs the agent to buy tokens, approve a contract, and submit an on-chain game transaction. These are irreversible financial actions, but the artifact does not clearly require user approval, spending limits, or allowance limits.
If insufficient → buy $WORDLE wit $MON via nad.fun ↓ Approve WordleGame contract ↓ Call playGame() on contract
Require explicit user confirmation before every buy, approval, and play transaction; show contract addresses, token amounts, slippage, fees, and allowance amounts; and cap approvals to the minimum needed.
If the external ABI or documentation is wrong or changes, the agent may construct or explain transactions incorrectly.
The reviewed artifact does not include the ABI and instead points to an external GitHub URL, while the skill uses that contract interface for token-related transactions.
ABI: [gameAbi](https://github.com/husseinrasti/monad-wordle/blob/main/contract/abi.json)
Verify the contract address and ABI from trusted sources before signing transactions, and prefer pinned or included ABI files for reviewed skills.