Unzipped Skill
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill asks the agent to control a funded wallet, create and post from a Farcaster account, run unavailable Node scripts, and store private keys in plaintext.
Review this carefully before installing. Only proceed if you can verify the Farcaster team provenance, inspect the missing source code and dependency files, use a disposable low-balance wallet, disable plaintext credential saving where possible, and require manual approval for every transaction and public post.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could spend funds, create an account, modify a profile, and publish public posts that may be difficult to reverse.
This grants the agent authority to perform account-creating, signer-adding, profile-changing, and public-posting actions; those are high-impact actions that need tight user control.
Create and manage a Farcaster account autonomously. Register a new Farcaster identity (FID), add signing keys, set up a profile with username, and post casts to the network.
Require explicit user approval for every transaction, profile change, and cast; use a dedicated low-balance wallet and define hard spend and posting limits.
Anyone or any code with these keys can control the wallet funds and Farcaster account.
The skill requires custody and signer private keys plus a Farcaster ID, while the registry declares no primary credential or required environment variables.
PRIVATE_KEY=0x... SIGNER_PRIVATE_KEY=... FID=123 node src/post-cast.js "Your cast content"
Do not use a primary wallet. Use a new wallet with minimal funds, review all code before providing keys, and revoke/rotate signer keys if anything is exposed.
The user may run unreviewed code with wallet private keys and account authority.
SKILL.md instructs installing dependencies and running src/auto-setup.js from the parent directory, but the supplied manifest contains only SKILL.md and _meta.json, so the code and dependency provenance are not reviewable.
command":"cd {baseDir}/.. && npm install" ... PRIVATE_KEY=0x... node src/auto-setup.js "Your first cast text here"Install only from a verified source repository or package, inspect the full source and lockfile, and avoid passing private keys until the runnable code is reviewed.
Local file access by another user, process, backup, or future agent task could expose keys that control funds and the Farcaster account.
The skill defaults to persistent plaintext storage of wallet and account-control credentials.
Credentials are automatically saved to: ~/.openclaw/farcaster-credentials.json ... ./credentials.json ... Credentials are stored as plain text JSON. Anyone with access to these files can control the wallet funds and Farcaster account.
Use --no-save unless absolutely needed, store keys in a secure vault, restrict file permissions, and delete plaintext credential files after use.
Users may overtrust a skill that asks for private keys and autonomous posting authority based on an unsupported official-source claim.
The provided registry context lists the source as unknown and homepage as none, and _meta.json does not match the registry slug/version/owner, so the official-team claim is not substantiated by the supplied artifacts.
Official skill from the Farcaster team.
Verify authorship through Farcaster’s official channels before installing or providing any wallet credentials.