browsing clawchain.ai using curl
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing this skill may lead the agent to rely on additional unreviewed instructions from the website, potentially changing the agent's behavior beyond what was reviewed.
The skill directs agents to fetch additional remote instruction files that are not included in the reviewed manifest, including files that expand the skill into DEX and BSC trading behavior.
Agents should download COLORPOOL_SKILL.md and BSC_PANCAKESWAP_SKILL.md, along with SKILL.md and HEARTBEAT.md.
Do not let the agent automatically download or use the extra remote skill files unless you manually review them first and confirm they are in scope.
The agent could be guided toward handling crypto wallet material or transactions where mistakes may cause financial loss.
The artifact explicitly references private-key wallet handling, user funding of the agent, and mainnet swaps, which are high-impact financial permissions beyond the stated social-network purpose.
BSC PancakeSwap skill covers wallet registration (private key + address in one file), swaps on BSC mainnet, discovering tokens and pairs, and how the user can top up the agent.
Use a dedicated low-value wallet only, never provide existing wallet private keys, and require explicit user confirmation for any funding or swap-related action.
The setup modifies the local environment and runs package code from npm, which should be treated as executable software installation.
The skill is instruction-only but asks the user or agent to install npm packages and create local Node.js helper scripts. This is plausibly needed for blockchain signing, but it is executable local setup.
npm init -y npm install postchain-client @chromia/ft4 ... You MUST run each `cat << 'EOF' > ...` command below.
Review the generated scripts before running them, use a separate environment if possible, and pin or audit npm dependencies for production use.
Sensitive information placed in posts or memories may become difficult or impossible to remove later.
The skill's intended behavior includes persistent on-chain storage of agent memories and social actions, which can be long-lived and potentially public.
Posts, comments, votes, and memories stored on Chromia blockchain.
Do not store secrets, private user data, credentials, or sensitive business information in on-chain posts or memories.