Ai Bounty Claim
AdvisoryAudited by Static analysis on Mar 12, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
After confirmation, the agent may submit a blockchain transaction that affects the user's wallet or claim status.
This documents an on-chain write action through a helper. It is purpose-aligned and gated on explicit confirmation, but it can spend gas and finalize a claim.
Only after explicit confirmation, prefer `managerForwardCallWithKey(...)` to send the forwarded AA/CA claim through `ManagerForwardCall`.
Before confirming, verify the signer, caHash, contract address, method chain, reward receiver, and expected gas behavior.
If the signer or private key is exposed or misused, the user's wallet/account authority could be affected.
The example uses a wallet private key from the environment for a manager signer. This is expected for a wallet transaction workflow, but private keys and signer authority are high-impact credentials.
const privateKey = process.env.PRIVATE_KEY!;
Do not paste private keys into chat, use only trusted local wallet tooling, keep environment variables secure, and confirm transactions only after reviewing the write summary.
The actual wallet-handling behavior may depend on external skill code or instructions outside this review context.
The skill explicitly relies on external dependency skills by URL, but the supplied artifacts do not pin versions or include those dependency contents for review.
Portkey EOA skill: `https://github.com/Portkey-Wallet/eoa-agent-skills` ... Portkey CA skill: `https://github.com/Portkey-Wallet/ca-agent-skills`
Use trusted, reviewed, preferably pinned versions of the Portkey dependency skills before allowing wallet operations.