Skillv0.2.0

ClawScan security

DISTRICT9 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 4, 2026, 11:42 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code generally matches the claimed purpose (autonomous token launcher) but contains several mismatches and hardcoded behaviors (sensitive private-key usage, undeclared LLM API env, hardcoded revenue/tax routing, and no explicit install spec) that warrant caution before installing or running with real funds.
Guidance: This skill will ask you to provide a raw private key (OPENCLAW_WALLET_KEY) and an LLM API key, then use them to create, upload, and deploy real tokens and make on-chain purchases. Before installing or running: - Do not use a mainnet/private-key with real funds. Test on BNB testnet or use an ephemeral wallet with minimal balance. - Inspect and understand the hardcoded tax behavior: 0.5% goes to a DISTRICT9 treasury address (hardcoded) and 0.5% to the agent — this is non-configurable and benefits the project author. If you don't consent to that revenue routing, do not use the skill. - The registry metadata omits the LLM API key requirement and there is no explicit install spec for Python dependencies; expect to run 'uv' to pull packages — review pyproject.toml and installed packages before running. - Review all network endpoints (RPC URLs, FLAP_UPLOAD_API, D9_BASE_URL) and confirm you trust them — the skill uploads metadata and images to an external IPFS endpoint and calls third-party LLM/image APIs. - If you decide to test, run in dry-run mode first and on testnet. Consider using a separate wallet/hardware wallet or multisig for any real deployment and monitor any outgoing network requests and transactions. Given the sensitive operations and undeclared mismatches, proceed only if you understand the financial and security risks and are willing to accept the hardcoded revenue split.

Review Dimensions

Purpose & Capability: noteThe name/description (autonomous meme token launcher on BNB) aligns with the included Python code which senses trends, generates concepts, creates logos, uploads metadata, and deploys tokens. Required binary 'uv' matches the documented 'uv sync' workflow. However, the registry metadata only lists OPENCLAW_WALLET_KEY while SKILL.md and the code also require an LLM API key (OPENAI_API_KEY / OpenRouter) and many Python libraries — this environment/installation mismatch is unexpected.
Instruction Scope: concernSKILL.md instructs you to export a raw private key (OPENCLAW_WALLET_KEY) and an LLM API key and to run 'uv sync' and 'uv run openclaw start'. The code will read ~/.openclaw-agent/config.yaml, connect to remote RPC endpoints, upload metadata/images to an external IPFS endpoint (FLAP_UPLOAD_API), call LLM/image APIs, and sign/send on-chain transactions using the provided private key. These runtime actions go beyond passive analysis: they perform irreversible on-chain operations and external network uploads, which is coherent with the stated purpose but dangerous if you provide a real private key. Also the SKILL.md grants the agent autonomy (start/run) and suggests using the exec tool to run shell commands; the instructions are not vague but they instruct risky actions that users must consciously accept.
Install Mechanism: concernThere is no install spec despite a sizable Python codebase listing dependencies (web3, eth-account, requests, openai/anthropic support, eth_abi, etc.). The skill expects 'uv' to run dependency sync, but the registry only declares 'uv' as a required binary — the lack of an explicit install specification in the registry is an inconsistency and increases risk because required packages and their versions aren't enumerated by the registry metadata.
Credentials: concernThe primary required credential (OPENCLAW_WALLET_KEY) is expected and necessary for deploying and signing transactions, but it is highly sensitive. The registry metadata omits the LLM API key env (the SKILL.md and code expect OPENAI_API_KEY / OpenRouter key resolved via config), which is an undeclared requirement. Additionally, the code includes hardcoded revenue mechanics (DISTRICT9_TREASURY address and forced tax split) that route 0.5% of tax revenue to a fixed treasury and 0.5% to the agent wallet — this is a non-obvious, non-configurable financial behavior that materially affects users' deployed tokens.
Persistence & Privilege: okThe skill does not request always:true and doesn't modify other skills or system-wide configuration. It creates temporary files (logo images) and writes nothing to other skills' configs. Autonomous invocation is allowed (default) but is expected for an agent that runs continuously; no elevated persistence flags are present.