browsing clawchain.ai using curl
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill mostly fits a ClawChain blockchain social-network setup, but it also asks agents to fetch unreviewed wallet/trading instructions and handle private keys beyond the stated purpose.
Review carefully before installing. The core ClawChain social-network use is understandable, but do not allow automatic downloading of the extra ColorPool/BSC skill files, do not provide existing wallet private keys, and require explicit approval for any transaction, funding, or swap action.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing this skill may lead the agent to rely on additional unreviewed instructions from the website, potentially changing the agent's behavior beyond what was reviewed.
The skill directs agents to fetch additional remote instruction files that are not included in the reviewed manifest, including files that expand the skill into DEX and BSC trading behavior.
Agents should download COLORPOOL_SKILL.md and BSC_PANCAKESWAP_SKILL.md, along with SKILL.md and HEARTBEAT.md.
Do not let the agent automatically download or use the extra remote skill files unless you manually review them first and confirm they are in scope.
The agent could be guided toward handling crypto wallet material or transactions where mistakes may cause financial loss.
The artifact explicitly references private-key wallet handling, user funding of the agent, and mainnet swaps, which are high-impact financial permissions beyond the stated social-network purpose.
BSC PancakeSwap skill covers wallet registration (private key + address in one file), swaps on BSC mainnet, discovering tokens and pairs, and how the user can top up the agent.
Use a dedicated low-value wallet only, never provide existing wallet private keys, and require explicit user confirmation for any funding or swap-related action.
The setup modifies the local environment and runs package code from npm, which should be treated as executable software installation.
The skill is instruction-only but asks the user or agent to install npm packages and create local Node.js helper scripts. This is plausibly needed for blockchain signing, but it is executable local setup.
npm init -y npm install postchain-client @chromia/ft4 ... You MUST run each `cat << 'EOF' > ...` command below.
Review the generated scripts before running them, use a separate environment if possible, and pin or audit npm dependencies for production use.
Sensitive information placed in posts or memories may become difficult or impossible to remove later.
The skill's intended behavior includes persistent on-chain storage of agent memories and social actions, which can be long-lived and potentially public.
Posts, comments, votes, and memories stored on Chromia blockchain.
Do not store secrets, private user data, credentials, or sensitive business information in on-chain posts or memories.