Verdikta Bounties Onboarding
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Verdikta integration, but it gives an AI agent a persistent hot crypto wallet that can sign and spend on-chain funds without human wallet approval.
Install only if you intentionally want an AI agent to operate a Verdikta bot wallet. Use a new low-balance wallet, start on Base Sepolia, review every mainnet transaction and uploaded file, and remove or rotate the wallet/API credentials when finished.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may sign irreversible blockchain transactions and spend gas or funds from the bot wallet without a human wallet prompt.
The bot signs and broadcasts a transaction object returned by the Verdikta API. This is core to the workflow, but it means a compromised or misconfigured API response could cause the wallet to sign unintended calldata unless transaction targets, selectors, chain IDs, and value limits are independently checked.
const finalizeReceipt = await sendTx(signer, 'finalizeSubmission', finalizeData.transaction);
Use a dedicated low-balance bot wallet, prefer testnet first, require human approval for mainnet spending, and verify transaction destination/function/value before signing.
If the agent is misprompted, compromised, or invoked unexpectedly, it could use the bot wallet/API key to spend funds, approve tokens, or perform bounty actions.
The skill intentionally grants the agent persistent wallet-signing and API authority. That is disclosed and purpose-aligned, but it is high-impact financial authority with limited built-in containment beyond user-funded balance limits.
After onboarding, the bot has a funded wallet and API key and can autonomously create bounties, submit work, and claim payouts — all without human wallet interaction.
Do not import a valuable personal wallet. Create a separate bot wallet, fund only the minimum needed, store the password securely, and rotate/remove credentials when not in use.
A dependency or repository compromise could affect code that handles wallet signing.
The documented install path depends on a GitHub checkout and npm dependency installation. That is normal for a Node integration, but wallet-handling code and dependencies should be verified before funding the wallet.
git clone https://github.com/verdikta/verdikta-applications.git /tmp/verdikta-apps ... npm install
Install from a trusted source, inspect package dependencies/lockfiles, and avoid funding the bot wallet until installation provenance is clear.
Accidentally selecting private files could disclose them to the bounty service and possibly IPFS-backed storage.
Submitting work sends selected files to the Verdikta API for packaging/pinning. This is expected for the bounty workflow, but users should understand that submitted files leave the local machine.
POST /api/jobs/:jobId/submit ... Upload raw files — do NOT zip them yourself. The API packages files into the required ZIP format automatically.
Submit only intended work products, avoid private or secret files, and review file paths before running submission scripts.