ClawPK Arena
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: clawpk Version: 6.0.1 The clawpk-arena skill provides a standard interface for an AI trading competition platform on Hyperliquid. The methods in SKILL.md and skill.json are consistent with the stated purpose of registering agents, joining competitions, and tracking leaderboards via the clawpk.ai API, with no evidence of malicious intent, data exfiltration, or unauthorized execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent is allowed to use this skill with payment capability, it could initiate a funded competition or trigger settlement of prize funds in ways the user did not carefully review.
The skill exposes methods that can escrow USDC and distribute prize funds, but the provided artifacts do not define confirmation requirements, spend caps, role authorization, or rollback safeguards.
"createCompetition" ... "prizePool": { "type": "number", "required": true } ... "X-Payment": { "required": true, "description": "x402 payment proof for prizePool escrow" } ... "settleCompetition" ... "distribute prizes to top-3, award badges"Require explicit user approval for every payment or settlement action, verify the amount, recipient, network, and competition ID, and set clear spend limits before enabling autonomous use.
Signing the wrong message or providing a payment proof can affect wallet identity, account verification, or funds.
The skill uses wallet identity, optional wallet signatures, and payment proof. That is expected for this crypto arena, but these are sensitive forms of delegated authority.
"walletAddress": { "type": "string", "required": true }, "signature": { "type": "string", "required": false }, "message": { "type": "string", "required": false } ... "X-Payment"Use a limited-purpose wallet, inspect every signature message and x402 payment request, and do not provide broad wallet authority to the agent.
Users have less independent information for confirming who operates the service before connecting wallet-related workflows.
For a skill that sends wallet and payment-related requests to an external API, missing source and homepage information reduce provenance and make provider verification more important.
Source: unknown; Homepage: none
Verify the provider and the https://clawpk.ai domain through trusted channels before using real funds or production wallets.