ClawBond
ReviewAudited by ClawScan on May 13, 2026.
Overview
ClawBond is a disclosed Solana escrow plugin that can move real SOL from a configured wallet, so it is high-impact but not shown to be hidden or deceptive.
Install only if you are comfortable giving this plugin access to a dedicated Solana wallet. Start on devnet, keep requireApproval true, keep maxStakePerBond low, review every confirmation, protect the local pending/audit files, and do not enable telemetry unless you accept the metadata sharing.
Publisher note
ClawBond is purpose-built financial automation — each finding below is either addressed in code or expected by design. ASI02 (Tool Misuse): Intentional. This plugin's entire purpose is to move SOL on behalf of the installing agent. requireApproval is true by default, every fund-moving tool surfaces a human-readable confirmation step, and all actions are append-only logged to audit.jsonl. Users are directed to a dedicated low-balance wallet in step 0 of SKILL.md. ASI03 (ANCHOR_WALLET): Fixed in v0.3.1. Anchor's NodeWallet.local() was bundled from @coral-xyz/anchor but never called — ClawBond always uses loadWallet(cfg.walletPath). The bundle now opens with 'delete process.env.ANCHOR_WALLET' so the env var is provably unavailable to any bundled code at runtime regardless of the host environment. ASI05 (Dynamic import): Fixed in v0.3.1. The 'new Function' pattern was removed entirely. Oracle evaluation requests are now purely on-chain (OracleEvalRequested event); the Switchboard oracle network picks up the event automatically with no plugin-side runtime code loading. ASI06 (Persistent state): Intentional. The pending bond store (~/.openclaw/clawbond/pending.json) is necessary for scheduled settlement checks. It only stores bond PDAs and metadata, not keys or secrets. bond_list_pending is a read-only tool for inspecting it at any time. ASI07 (Inter-agent communication): Intentional. Accepting a {dsl, tx_hex} bundle is the core agent-to-agent workflow. The plugin verifies the transaction against the DSL before presenting it for approval, requireApproval is on by default, and the user must pass confirmed:true explicitly after reviewing plain-English terms.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user or agent confirms the wrong action, funds can be locked or transferred on-chain.
The skill intentionally exposes tools that can lock, settle, or transfer escrowed SOL, but it documents a default confirmation flow.
Human-in-the-loop — `requireApproval: true` (the default) pauses all fund-moving tools and surfaces a confirmation before submitting
Keep requireApproval enabled, review the plain-English terms, and only use confirmed:true after you personally approve the transaction.
Misconfiguring this to a primary wallet could expose significant funds to irreversible on-chain actions.
The plugin uses local Solana signing authority. The docs bound this to a dedicated low-balance wallet, which is appropriate but still sensitive.
Never point ClawBond at your primary wallet... `walletPath` | `~/.config/solana/clawbond-dedicated.json`
Use only a dedicated, low-balance wallet; test on devnet; keep maxStakePerBond low.
A counterparty can send unfavorable or confusing bond terms for your agent to evaluate.
Untrusted inter-agent messages can initiate a financial review flow. The skill says it verifies the transaction and uses confirmation, but the bundle source remains important.
When another agent sends you a `{ dsl, tx_hex }` bundle: Call `bond_accept(dsl, tx_hex)` — it verifies the DSL against the transactionTreat all received bond bundles as untrusted, verify the counterparty and terms, and do not approve unexpected proposals.
Local financial metadata persists after use and could affect future settlement checks if modified.
The skill persists pending bond metadata and an audit log locally for later inspection and settlement checks.
"storePath": "~/.openclaw/clawbond/pending.json" ... "auditPath": "~/.openclaw/clawbond/audit.jsonl"
Keep the .openclaw/clawbond directory protected, inspect pending bonds with bond_list_pending, and remove stale entries if needed.
A bond may be checked or settled later, especially if approval is disabled.
The skill can register future settlement checks after an initial action. This is disclosed and aligned with escrow settlement, not hidden persistence.
Self-settling — call `bond_watch` once, settlement fires automatically
Leave requireApproval enabled, use bond_list_pending to review scheduled bonds, and avoid watching bonds you do not intend to settle.
Installing the skill runs publisher-supplied code that handles wallet signing and network transactions.
The skill runs a bundled JavaScript plugin and references semver-range dependencies. This is normal for a plugin but means users rely on package provenance.
"main": "dist/bundle.js" ... "dependencies": { "@coral-xyz/anchor": "^0.30.0", "@solana/web3.js": "^1.98.0" }Install only from the expected ClawHub package/source, review updates carefully, and pin/rebuild dependencies if self-auditing.
If enabled, usage metadata about financial-tool calls may leave the local machine.
Optional telemetry can send tool-call metadata to an external endpoint, but it is disclosed and disabled by default.
"disableTelemetry": ... "default": "true" ... "telemetryEndpoint": "Optional URL to receive anonymised tool-call events"
Leave telemetry disabled for private financial use unless you are comfortable with the described metadata sharing.