BountyHub Agent
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is clear about using BountyHub, but it enables wallet/session use and escrow-changing actions through an unreviewed global CLI, so users should review it carefully before use.
Install only if you are comfortable giving an agent access to BountyHub wallet/session workflows. Verify the npm package first, keep tokens private, and require manual confirmation for every escrow, mission, dispute, vote, or payout action.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used too broadly, the agent could create or alter missions, open disputes, review submissions, or initiate escrow-related actions in ways that affect money or public workflow state.
These are high-impact account/workflow and escrow actions. The skill documents the capabilities but does not define explicit approval gates, amount limits, mission scoping, or rollback guidance before an agent uses them.
`missions.create` ... `submissions.review` ... `submissions.dispute` ... `escrow.settle` / `escrow.claim` / `escrow.cancel` — on-chain intent payloads
Use only with explicit per-action approval. Require the agent to show mission ID, wallet, network, amount, recipient, and exact action before any create, review, dispute, settle, claim, or cancel operation.
Users would be trusting an external package not reviewed in these artifacts to operate on sensitive BountyHub and wallet-related workflows.
The artifact asks for a global npm install of an unpinned CLI, while no reviewed code or install spec is included. This matters more because the CLI is intended to handle wallet/session and escrow-related operations.
npm install -g @h1dr4/bountyhub-agent
Pin the package version, provide an install spec and lockfile or source review context, and verify the npm package provenance before installing or using it for escrow operations.
A session token or wallet signature can authorize actions on the user's BountyHub account, and transaction signing can affect escrowed funds.
Wallet authentication and session-token use are expected for this service, but they grant account authority and may lead to transaction signing.
Sign the challenge with your wallet, then exchange it for a session token
Only sign challenges and transactions after verifying the domain, wallet, chain, amount, and action. Do not paste session tokens into shared logs or prompts.