Go4Me
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its stated Go4Me/XCH payment purpose, but it can submit real wallet transactions and its lookup input is not tightly constrained to Twitter handles.
Review this skill before installing if you plan to use it for payments. It appears purpose-built for Go4Me/XCH tipping, but only approve transactions after checking the exact recipient address and amount, and avoid entering anything other than normal Twitter-style handles.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted or mistaken username could cause the agent to fetch data from somewhere other than the intended Go4Me profile, which is especially risky if the result is used as the recipient address for a payment.
The script does not validate that the input is a valid Twitter/Go4Me handle before using it in a URL. Inputs containing characters like slashes could make curl contact an unintended host or path, which is broader than the skill’s stated lookup scope.
local username="${1#@}" ... local url="https://${username}.go4.me/" ... response=$(curl -s -w "\n%{http_code}" "$url" 2>/dev/null)Validate usernames before lookup, for example by accepting only expected handle characters and length, and reject anything containing slashes, schemes, dots, ports, or other URL-control characters.
If the user confirms the wrong amount or recipient address, funds may be sent and may not be recoverable.
The skill explicitly submits a wallet transaction after user confirmation. This is purpose-aligned, but it is a high-impact action because cryptocurrency transfers can be irreversible.
On confirm, call sage-wallet `send_xch` ... `"auto_submit":true`
Before confirming, carefully verify the handle, full name, XCH address, amount, and units; consider using a low-balance wallet for tipping.
Anyone using this skill is granting the agent a path to submit transactions through the configured local wallet credentials.
The payment flow uses local wallet certificate/key material to authorize the sage-wallet RPC call. That is expected for sending XCH, but it is sensitive authority.
curl -s --cert $CERT --key $KEY -X POST https://127.0.0.1:9257/send_xch
Use only the intended wallet credentials, protect the certificate/key files, and do not approve transactions unless the recipient and amount are correct.
Security of payments depends not only on this skill, but also on the separately installed sage-wallet skill and local wallet setup.
The skill depends on a separate wallet skill that is not included in the reviewed artifacts. This is disclosed and purpose-aligned, but users must trust that dependency too.
Install sage-wallet first: ``` /skill install Koba42Corp/sage-wallet ```
Review and install sage-wallet only from a trusted source before using Go4Me to send funds.