Tip with Grove
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Grove tipping guide, but it enables real-money tipping and funding with autonomous/cron modes and local wallet or API-key authority that users should review carefully.
Install only if you intentionally want an agent-capable real-money tipping tool. Use a dedicated low-balance wallet or limited API key, review the remote installer, avoid unattended cron/--yes automation unless you set strict budgets, and keep webhook/log destinations private.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent or automation runs this with --yes, it can spend from the configured wallet without a fresh human confirmation for that funding action.
The script can move funds into the Grove account while skipping confirmation. Because this is a real-money action, the confirmation-bypass path needs explicit user budgeting and operational controls.
--yes Skip confirmation prompt ... fund_result=$(grove fund "$FUND_AMOUNT" --network "$NETWORK" --json 2>&1)
Use dry-run and manual confirmation by default; only enable --yes with strict wallet funding limits, monitoring, and an explicit spending budget.
A misconfigured or forgotten cron job could keep topping up the Grove account whenever the balance falls, potentially moving more funds than expected over time.
The documentation explicitly shows a persistent cron job that runs every 15 minutes with confirmation disabled, creating unattended recurring financial automation.
Typical cron usage:
*/15 * * * * /path/to/auto-fund.sh --yes >> /var/log/grove-auto-fund.log 2>&1Do not enable the cron example unless you have a capped wallet, clear spending limits, alerting, and a plan to disable it.
Installing and using the skill may involve giving the agent access to a funded wallet or Grove API key capable of sending tips or funding the account.
The skill expects payment credentials and wallet authority for autonomous agents, but the registry metadata declares no primary credential, making the privilege requirements easy to underappreciate.
Wallet + Crypto (recommended) | Autonomous agents | Creates wallet, fund with USDC + ETH on Base, self-funds via x402 ... I have an API key ... paste API key
Use a dedicated low-balance wallet or limited API key, avoid sharing personal wallets, and confirm what permissions the Grove CLI stores under ~/.grove.
You are trusting the current contents of Grove’s remote installer at install time.
The CLI installation is a remote shell script piped to bash. This is disclosed and purpose-aligned, but the provided artifacts do not include a checksum, pinned version, or reviewed installer contents.
curl -fsSL https://grove.city/install-cli.sh | bash
Review the installer before running it, install from a pinned release if available, and only use it if you trust grove.city.
A webhook recipient could see Grove balance alerts and related timing information.
The monitor can send balance and threshold details to a user-supplied webhook. This is expected for alerts, but it transmits financial balance information outside the local machine.
curl -X POST -H "Content-Type: application/json" \
-d "$payload" "$WEBHOOK_URL"Use only trusted webhook URLs, avoid sending alerts to shared or public endpoints, and rotate webhook secrets if exposed.
Your agent logs may contain a history of what content you tipped, how much you paid, and why.
The skill recommends persisting tip metadata in agent logs. That is purpose-aligned for Grove’s knowledge-graph concept, but it records payment-related history and rationale for later reuse.
Recommended fields (store in your agent logs): Canonical URL ... Destination ... Amount + token/network ... rationale
Keep those logs private, set retention limits, and avoid logging sensitive browsing or payment rationale unless needed.