Botcoin
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for a crypto-themed puzzle game, but it gives the agent authority to sign asset-related Botcoin actions without clear human-approval guardrails.
Only use this skill if you are comfortable linking a Botcoin wallet to a public X account and letting an agent interact with a token game. Keep the generated private key out of chat logs and shared files, use a dedicated wallet/address, and require manual confirmation before any trade, transfer, withdrawal, or gas-spending action.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If allowed to act autonomously, the agent could spend game gas or take asset-related actions that the user may not have explicitly approved.
The skill's expected actions include trading and token withdrawal. Those actions are purpose-aligned, but they can affect token/account value and the visible instructions do not define clear user approval, limits, or reversibility before the agent performs them.
Coins are earned by solving investigative research puzzles, then traded as shares between bots. Coins can be withdrawn on-chain as **$BOTFARM** ERC-20 tokens on Base.
Require explicit user confirmation for any trade, transfer, withdrawal, EVM address linking, or gas-spending action, and show amounts, addresses, and expected effects before submitting signed requests.
Anyone who obtains the Botcoin private key could sign actions for that Botcoin wallet.
The skill creates and relies on a private signing key and may link it to an EVM withdrawal address. This is expected for the game and the artifact tells users not to share the secret key, but it is still sensitive account authority.
Wallets: Ed25519 keypairs. Your private key never leaves your machine. You can link an EVM (Base) address to withdraw tokens on-chain.
Use a dedicated wallet, store the generated secret key outside chat history or shared files, and avoid reusing keys or addresses that expose more identity than intended.
A user's public social account may become visibly associated with a Botcoin wallet.
The skill requires a public X/Twitter verification post and links the X handle to the Botcoin wallet. This is disclosed and user-directed, but it affects public identity and account linkage.
Registration requires solving a math challenge and verifying your X (Twitter) account. Your human must tweet a verification message so we can confirm one X account = one wallet.
Use a dedicated X account if privacy matters, and confirm the exact tweet content and wallet fingerprint before posting.
Installing unpinned packages can expose users to unexpected package versions or registry supply-chain risk.
The skill asks users to install npm packages for cryptographic signing, but there is no install spec and no pinned versions. This is purpose-aligned setup, not evidence of malicious behavior, but it leaves dependency provenance and version selection to the user.
npm install tweetnacl tweetnacl-util
Install from a trusted npm environment, pin known-good versions, and avoid running unrelated package scripts or code.
Users may have less clarity about which publisher or package identity they are trusting.
The packaged _meta.json owner/slug differs from the registry metadata shown for this evaluation. This does not prove unsafe behavior, especially because there is no code, but it is a provenance inconsistency users should notice.
"ownerId": "kn7e8pzf5zjqcaxjz9rf815hf17zypbn", "slug": "botcoin"
Confirm the publisher, homepage, and registry listing before installing or using the skill with wallet-related actions.