ClawHub
Back to skill
v1.0.0

Chia SplitXCH

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:32 AM.

Analysis

The skill appears coherent and benign, but it sends wallet split details to SplitXCH and creates a payment address that users should verify before sending XCH.

GuidanceThis skill is reasonable for creating SplitXCH royalty or payment split addresses. Before installing or using it, understand that split details are sent to splitxch.com, each split level includes a 1.5% fee, and the generated address should be carefully verified before anyone sends XCH to it.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
Call the SplitXCH API via `scripts/splitxch.sh` or direct curl

The skill intentionally uses a local helper or curl to create a payment split address. This is purpose-aligned, but mistakes in recipient addresses or basis points could create an incorrect payment destination.

User impactThe skill does not spend funds itself, but the address it creates may later receive real XCH and route it according to the submitted split.
RecommendationConfirm all recipient addresses, percentages, basis-point totals, and the 1.5% fee before calling the API or sending XCH to the generated address.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
scripts/splitxch.sh
jq -e '.recipients' ... curl -s -w "\n%{http_code}" -X POST "$API_URL"

The helper script depends on local jq and curl even though the provided requirements declare no required binaries and there is no install spec.

User impactThe skill may fail or behave differently depending on the user's local shell tools, even though this is not clearly declared in metadata.
RecommendationBefore using the helper script, ensure bash, curl, and jq are installed from trusted sources, or use a reviewed direct API request.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
references/api.md
POST https://splitxch.com/api/compute/fast

The documented API request sends recipient names, XCH wallet addresses, and point allocations to an external SplitXCH service.

User impactThe external service can see the wallet addresses, names, and revenue-share structure included in the split request.
RecommendationOnly submit split details you are comfortable sharing with SplitXCH, and use the documented dry-run/preview approach before making the API call when privacy or accuracy matters.