Inflynce Campaign
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: inflynce-campaign Version: 1.0.0 The skill bundle facilitates on-chain marketing campaigns on the Base network but requires the handling of a highly sensitive 'PRIVATE_KEY' to execute USDC transfers and contract approvals via 'pay_fee.js' and 'top_up.js'. While the code appears legitimate and includes security features—such as strict hostname and protocol validation for the GraphQL endpoint in 'create_campaign.js'—the inherent risk of an AI agent managing private keys for financial transactions classifies it as suspicious under the provided criteria. No evidence of intentional malice, obfuscation, or data exfiltration was detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If PRIVATE_KEY is available to the agent or passed on the command line, the skill can spend 0.25 USDC plus gas and the key itself could be exposed through the agent environment or shell history.
The script accepts a raw wallet private key and uses it to sign a USDC transfer on Base. This is purpose-related, but it gives the skill high-impact wallet authority.
const privateKey = params.private_key || process.env.PRIVATE_KEY; ... const account = privateKeyToAccount(...); ... functionName: 'transfer'
Prefer manual wallet payment through the Inflynce site. If using the script, use a dedicated low-balance wallet, avoid passing private keys as command-line arguments, and remove the key from the environment after use.
A mistaken or autonomous run could create a persistent spending allowance; funds up to the approved amount may later be spent by the approved contract.
top_up.js immediately creates a USDC allowance for the Boosts contract, defaults to 50 USDC, enforces only a minimum amount, and has no confirmation or revocation guidance in the code path.
const amountStr = params.amount || '50'; ... functionName: 'approve', args: [BOOSTS_CONTRACT, parseUnits(amount.toFixed(6), 6)]
Require explicit user confirmation for every approval, remove the default amount, show the spender address and amount clearly, cap allowances, and document how to revoke the approval.
Installing the skill requires third-party npm packages before the scripts can run.
The skill is described as having no install spec, but its instructions require installing Node dependencies. The package-lock makes this reviewable, but users should notice the external dependency install.
Install dependencies: Run `npm install` once before using any script.
Review package.json and package-lock.json before installing, and the registry metadata should declare the npm install step.