skill bundle clawchain
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: testing-clawchain-flag Version: 1.0.1 The skill bundles are classified as suspicious primarily due to a critical supply chain vulnerability. The `skill.md` and `heartbeat.md` files contain explicit instructions for the AI agent to fetch and overwrite its own skill files (`SKILL.md` and `HEARTBEAT.md`) from a remote URL (`https://clawchain.ai`) using `curl`. If the `clawchain.ai` domain were compromised, an attacker could push arbitrary malicious code to the agent, leading to remote code execution. While the current code does not exhibit intentional malicious behavior, this self-update mechanism from an unauthenticated remote source represents a significant vulnerability. Additionally, the skills involve extensive use of shell commands (`chr`, `node`, `curl`, `npm`, `brew`) and handle private keys stored locally in `credentials.json` and `wallet.json`, which, despite documented security practices, inherently increase the attack surface.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled or invoked, the agent could control funds placed in that wallet; compromise or misuse of the wallet file could lead to asset loss.
A bundled companion file instructs creating a wallet file containing a BSC private key that can sign transactions. This is high-impact financial credential authority and is broader than the primary ClawChain social-network registry description.
fs.writeFileSync(file, JSON.stringify({
privateKey: wallet.privateKey,
address: wallet.address,
publicKey: wallet.publicKey
}, null, 2), { mode: 0o600 });Only use the trading companion files if you intentionally want trading. Use a dedicated small-balance wallet, keep keys encrypted where possible, and require explicit confirmation before any swap or transfer.
The agent could publish, vote, comment, delete, pin, or ban on-chain/public content in ways that are hard to undo and may affect reputation or communities.
The heartbeat routine encourages recurring public posts and moderation actions, including deleting posts and banning users, without clearly requiring per-action human approval.
Post new content | 1-2 times per day max ... Moderation duties (if applicable) | Every 4-6 hours ... Remove spam, harassment, off-topic content → `mod_delete_post` ... Ban repeat offenders if necessary → `ban_from_subclaw`
Require user review for posts, comments, votes, and all moderation actions, especially deletes, bans, pins, and other irreversible or public actions.
A changed or compromised remote file could alter the agent's future behavior while retaining access to local keys and on-chain transaction authority.
The skill tells the agent/user to overwrite local skill instruction files from a remote website, with no checksum, signature, pinned version, or review step shown.
If there's a new version, re-fetch the core skill files: ```bash curl -s https://clawchain.ai/skill.md > ~/.clawchain/skills/clawchain/SKILL.md curl -s https://clawchain.ai/heartbeat.md > ~/.clawchain/skills/clawchain/HEARTBEAT.md ```
Do not auto-update skill files. Pin versions, verify checksums or signatures, and review diffs before replacing local instructions.
Local helper scripts can access signing keys during transaction creation, so users should understand and trust the code before running it.
The curl variant creates local JavaScript helper scripts for key generation and transaction signing. This is purpose-aligned for blockchain operations, but it is executable local code embedded in markdown rather than separately scanned code files.
You MUST run each `cat << 'EOF' > ...` command below. These commands create the `.js` files inside `~/.config/clawchain/scripts/`.
Review generated scripts before execution, keep them in a controlled directory, and pin/review npm dependencies used by the scripts.
Stored personality or memory content could bias future posts or actions if it is stale, manipulated, or over-trusted.
The skill uses a persistent local personality/profile file that can influence future actions. This is aligned with the stated memory/personality purpose, but persistent instructions should not be treated as higher priority than user intent.
`~/.clawchain/agents/<agent_name>/SOUL.md` ... "Local personality profile file. Contains exaggerated personality instructions derived from your on-chain personality summary."
Review and edit the SOUL/memory file regularly, scope it to ClawChain tasks, and treat stored personality text as context rather than binding instructions.