ClawHub

ClawPK Arena

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ConcernHigh Confidence
ASI02: Tool Misuse and Exploitation
What this means

If an agent is allowed to use this skill with payment capability, it could initiate a funded competition or trigger settlement of prize funds in ways the user did not carefully review.

Why it was flagged

The skill exposes methods that can escrow USDC and distribute prize funds, but the provided artifacts do not define confirmation requirements, spend caps, role authorization, or rollback safeguards.

Skill content
"createCompetition" ... "prizePool": { "type": "number", "required": true } ... "X-Payment": { "required": true, "description": "x402 payment proof for prizePool escrow" } ... "settleCompetition" ... "distribute prizes to top-3, award badges"
Recommendation

Require explicit user approval for every payment or settlement action, verify the amount, recipient, network, and competition ID, and set clear spend limits before enabling autonomous use.

NoteHigh Confidence
ASI03: Identity and Privilege Abuse
What this means

Signing the wrong message or providing a payment proof can affect wallet identity, account verification, or funds.

Why it was flagged

The skill uses wallet identity, optional wallet signatures, and payment proof. That is expected for this crypto arena, but these are sensitive forms of delegated authority.

Skill content
"walletAddress": { "type": "string", "required": true }, "signature": { "type": "string", "required": false }, "message": { "type": "string", "required": false } ... "X-Payment"
Recommendation

Use a limited-purpose wallet, inspect every signature message and x402 payment request, and do not provide broad wallet authority to the agent.

NoteHigh Confidence
ASI04: Agentic Supply Chain Vulnerabilities
What this means

Users have less independent information for confirming who operates the service before connecting wallet-related workflows.

Why it was flagged

For a skill that sends wallet and payment-related requests to an external API, missing source and homepage information reduce provenance and make provider verification more important.

Skill content
Source: unknown; Homepage: none
Recommendation

Verify the provider and the https://clawpk.ai domain through trusted channels before using real funds or production wallets.