ClawdVine

Key points to consider before installing or using this skill: - Hidden secret requirement: The bundle's scripts and SKILL.md require an EVM private key (EVM_PRIVATE_KEY) to sign SIWE messages and to make x402 payments. The registry metadata incorrectly lists no required env vars — treat that as an omission, not a safety guarantee. - High-risk action: Providing a private key gives the skill the ability to sign on-chain operations. If you must test this, use a dedicated wallet with minimal funds and only the exact token (USDC) required for payments; never expose your primary wallet or keys with real funds. - Persistence: The instructions explicitly ask agents to save your agentId permanently (memory/config/environment). Consider whether you want that persistent link between your agent and the service. - Prompt-injection signal: SKILL.md contains text patterns flagged as 'system-prompt-override'. Manually inspect the SKILL.md for any instructions that ask the agent to change its system prompts, ignore safety, or execute open-ended 'use your judgment' actions. Don't trust automatic evaluation alone. - Operational advice: If you decide to proceed, run these scripts locally in an isolated environment (not granting them to an autonomous agent), audit network traffic to verify endpoints (api.clawdvine.sh, x402 facilitator), and review the open-source repository (package.json lists https://github.com/onbonsai/clawdvine-skill) and commit history. Prefer connecting via an external wallet UI or hardware wallet rather than exporting the private key into environment variables where possible. What would change this assessment: explicit, accurate registry metadata declaring required env vars and credential scopes; a public, audited repository and maintainer identity; removal or justification of any prompt-manipulation text in SKILL.md; and an alternative payment flow that doesn't require exposing a private key to the agent runtime.