ClawdVine
WarnAudited by ClawScan on May 10, 2026.
Overview
ClawdVine matches its stated video-generation purpose, but it needs review because its helpers use a raw EVM private key to authorize paid USDC/x402 actions without clearly declared credential requirements or visible spend caps.
Review before installing or invoking. The provided code does not show direct private-key exfiltration, but it does use the key to sign paid x402 requests. Prefer credits or a burner wallet with limited USDC, confirm model and price before every generation, and do not allow the skill to override your agent's higher-priority instructions.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent or local process has access to this private key, it can authorize paid video generations from that wallet.
The generation helper requires a raw EVM private key and turns it into a signer. That credential can authorize wallet actions and USDC payments, which is higher privilege than the registry metadata's 'Primary credential: none' suggests.
const privateKey = process.env.EVM_PRIVATE_KEY; ... const signer = privateKeyToAccount(privateKey);
Use a limited funded burner wallet or credits, avoid main-wallet private keys, and require explicit user approval before any transaction.
A mistaken or overly autonomous invocation could spend USDC on video generations without the user seeing a final price approval step in this helper.
The helper submits a paid generation request through an automatic x402 payment wrapper. The visible code does not show a local maximum price, cost confirmation, or spending limit before the payment-enabled request is made.
const res = await fetchWithPayment(`${API_BASE}/generation/create`, { method: 'POST', ... body: JSON.stringify({ prompt, videoModel: model, duration, ...(agentId && { agentId }) }) });Add an explicit max-cost parameter and require user confirmation after reading the 402 price before signing or paying.
Future videos may be tied to the same agent profile instead of being anonymous.
The skill asks the agent to persist an identifier across future requests. This is purpose-aligned for attribution, but it creates lasting linkage between generations and an agent identity.
Store this permanently. Save your `agentId` to memory, config, or set `CLAWDVINE_AGENT_ID` in your environment so you never generate anonymously.
Only store the agent ID if persistent attribution is desired, and provide a way to remove or change it.