Windfall Inference
PassAudited by ClawScan on May 10, 2026.
Overview
Windfall Inference appears to be a coherent paid LLM gateway, but it sends prompts to an external provider and includes billing, caching, and on-chain metadata features users should understand.
Install only if you trust Windfall/Ecofrontiers and its model providers with the prompts you send. Keep the API key private, watch usage costs, set payment limits if using x402/Base wallet flows, and avoid sending sensitive data unless the caching and on-chain attestation behavior is acceptable.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill can consume paid API quota or trigger per-request wallet payments if configured that way.
The skill relies on an API key and also supports wallet-based x402 payments, which are expected for this paid inference service but authorize real usage and charges.
Set `WINDFALL_API_KEY` in your environment... Any agent with a Base wallet can pay per-request without creating an API key.
Use a scoped or revocable API key, monitor usage, and set wallet or client-side spending limits before enabling x402 payments.
Prompts, conversation content, and model-use metadata may be processed by Windfall and its underlying providers.
The skill routes chat-completion messages to Windfall's hosted endpoint; this is the core function, but it means prompts and outputs leave the local environment.
OPENAI_BASE_URL=https://windfall.ecofrontiers.xyz/v1 ... curl https://windfall.ecofrontiers.xyz/v1/chat/completions ... "messages": [{"role": "user", "content": "Hello"}]Do not send secrets or regulated data unless you have reviewed the provider's privacy, retention, and subprocessors.
Some inference metadata and hashes may persist publicly, and cached responses may be reused by the service.
The service discloses response caching and persistent on-chain attestations; these are purpose-aligned but create stored/reused data and public metadata.
Cache hits: free ... Every inference call produces a verifiable EAS attestation on Base with: node location, energy price, carbon intensity, model used, and response hash.
Avoid submitting sensitive prompts unless the provider's cache and attestation behavior is acceptable for your use case.
Running the deployment script on a server gives a third-party setup script root-level execution on that machine.
A manual server setup script pipes a remote installer into bash and installs system packages; it is not part of the OpenClaw install spec, but it matters if someone self-hosts.
curl -fsSL https://deb.nodesource.com/setup_22.x | bash -
Only run the deployment script in a controlled self-hosting environment after reviewing the remote installer and package sources.