ClawHub

CLAWP

v0.2.0

CLAWP Agent - AI token creation advisor powered by OpenClaw

3· 1.5k·0 current·0 all-time
by@iclawn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The README/SKILL.md repeatedly states the agent will 'coordinate deployment' and 'manage post launch buyback and burn execution' and even references a user 'Deposit → Guide to 0.025 SOL deposit', yet the skill is instruction-only: no code, no install, no network endpoints, and no credentials are declared. That mismatch (claiming operational/execution capability without any declared mechanism) is incoherent.
!
Instruction Scope
Runtime instructions focus on generating JSON blueprints and deterministic flows, but they also describe deployment, automatic post-launch actions, and a deposit step. The SKILL.md gives no concrete mechanism for execution or custody and does not clearly limit the agent to advisory-only behavior, leaving room for confusing or misleading behavior if the platform or other components implement execution.
Install Mechanism
No install spec and no code files are provided, so there is no package download or on-disk install risk from this skill itself. That limits its direct ability to perform actions beyond producing text.
!
Credentials
The skill requests no environment variables or credentials, yet its asserted capabilities (performing deposits, executing launches, automated buybacks) would normally require private keys, API tokens, or endpoints. The absence of declared credentials is disproportionate to the operational claims and increases ambiguity about where execution would actually occur.
!
Persistence & Privilege
always:true is set, meaning this skill is force-included for all agents. That is a significant privilege — especially for a skill that claims the ability to coordinate financial operations. Always-on status combined with unclear execution boundaries raises the risk surface.
What to consider before installing
This skill appears to be primarily an advisor that produces token 'blueprints', but it also claims to coordinate deposits and automated execution without providing code, endpoints, or credentials — and it's marked always-on. Before installing: 1) Ask the publisher where the 'fixed execution mechanics' actually live (URLs, services, or other components). 2) Confirm who holds funds and how deposits are processed — do not send SOL to any address without independent verification. 3) Request the implementation code or an audit that shows how deployment and buyback are executed and which keys/servers are involved. 4) Ask the maintainer to remove always:true or justify why it must be force-included. 5) If you plan to use it for real launches, require a security review and explicit, auditable custody model. If the publisher cannot answer these, treat the skill as advisory-only text and do not rely on it to perform or automate financial operations.

Like a lobster shell, security has layers — review code before you run it.

agentvk972q8jq67fvm8fs1xs0hn5dw580ac6jautomationvk972q8jq67fvm8fs1xs0hn5dw580ac6jcreationvk972q8jq67fvm8fs1xs0hn5dw580ac6jlatestvk972q8jq67fvm8fs1xs0hn5dw580ac6j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🐾 Clawdis

Comments