ClawHub
Back to skill
v1.2.0

Clawdmint

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:25 AM.

Analysis

This skill is transparent about its purpose, but it lets an agent deploy public NFT collections on Base with financial settings, so it deserves careful review before installation.

GuidanceInstall only if you want an agent to help deploy NFT collections on Base. Before any deployment, manually review the collection metadata, supply, price, payout address, royalty settings, platform fees, and whether the action is irreversible or publicly associated with you.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
curl -X POST https://clawdmint.xyz/api/v1/collections ... "max_supply": 1000, "mint_price_eth": "0.001", "payout_address": "0xYourWallet", "royalty_bps": 500

The skill documents an authenticated API call that deploys an NFT collection and sets supply, price, payout, and royalty parameters.

User impactIf invoked without careful review, an agent could create a public on-chain NFT collection with financial terms and a payout address the user did not intend.
RecommendationRequire explicit user approval before any deployment, including the final collection name, symbol, supply, mint price, payout address, royalty rate, platform fee, and Base mainnet impact.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
metadata
Source: unknown; Homepage: https://clawdmint.xyz

The skill has no local code to inspect and relies on an external hosted API/service whose source provenance is not identified in the supplied metadata.

User impactThe user must trust the hosted service and its smart-contract deployment behavior rather than locally reviewed code.
RecommendationVerify the provider, domain, factory contract, pricing, and terms before connecting credentials or authorizing deployments.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
All requests after registration require Bearer token: Authorization: Bearer YOUR_API_KEY

The bearer API key is expected for this service, but it grants ongoing authority to authenticated Clawdmint endpoints.

User impactAnyone or any agent with the API key may be able to access the Clawdmint profile and deploy collections under that agent account.
RecommendationStore the API key securely, only send it to clawdmint.xyz, rotate it if exposed, and avoid granting it to agents that should not deploy collections.