Agentbox Skills
WarnAudited by ClawScan on May 16, 2026.
Overview
Agentbox Skills appears purpose-built for gameplay, but it handles a Base-mainnet signer/private key, onchain actions, and background controls through a local bridge that should be reviewed before installation.
Before installing, decide whether you are comfortable letting this plugin manage a game-only Base-mainnet signer and background automation. Use a low-value wallet, verify bridge token and allowed-origin settings, disable the bridge/background controls when not needed, and require explicit review for any transaction or private-key export.
Publisher note
This plugin needs native host access to store local Agentbox runtime data, manage a local gameplay signer, read/write operation state, and expose a localhost bridge for the Agentbox web app.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A web app or local process with bridge access could potentially obtain the gameplay signer and act as that account.
The bridge appears to have a code path that conditionally includes the local signer private key in returned data. In a Base-mainnet plugin, that key can authorize gameplay transactions and potentially spend gas or control game assets.
...(includePrivateKey && signer?.privateKey ? { privateKey: [REDACTED] } : {}),Install only if you trust the publisher and the Agentbox web app; use a low-value/game-only signer, verify bridge token and allowed-origin settings, and require explicit user confirmation before any private-key export.
The agent may be able to submit gameplay transactions that cost gas or change onchain game/account state.
The skill explicitly supports real-network blockchain actions. The provided artifacts do not show clear spend limits, transaction confirmation requirements, or rollback controls.
OpenClaw plugin for Agentbox gameplay automation on Base mainnet. ... Agentbox gameplay tools for state reads, prerequisite checks, and onchain actions
Use a dedicated wallet with limited funds, review each transaction before signing, and avoid enabling autonomous onchain actions unless the tool provides clear approval and limits.
Gameplay automation could continue beyond a single prompt and keep changing local or onchain game state if not carefully controlled.
The skill advertises long-running background operation management. That is purpose-aligned for automation, but the artifacts do not show the user-facing boundaries for starting, stopping, or constraining those operations.
Operation Manager tools for long-running background gameplay state ... A local bridge used by the Agentbox web app for account, chat, active-role, operation, and background controls
Ensure background operations are opt-in, visible, stoppable, and scoped to a specific role/account before enabling them.
If the bridge token or allowed origins are weakly configured, a browser page could gain more control over the local Agentbox runtime than the user expects.
A localhost/browser bridge is disclosed and seems central to the plugin, but it is a sensitive boundary because it can control account, chat, role, operation, and background functions.
A local bridge used by the Agentbox web app for account, chat, active-role, operation, and background controls ... token ... allowedOrigins
Keep the bridge disabled unless needed, set a strong token, restrict allowed origins to trusted Agentbox origins, and avoid exposing the bridge beyond localhost.
Secrets or sensitive plans typed into Agentbox chat could be read by the plugin and possibly included in bridge or network flows.
The bridge reads stored chat/session transcript data. This can be expected for a chat feature, but transcripts may contain sensitive user instructions or secrets and may be reused or transmitted.
rawTranscript = await fs.readFile(entry.sessionFile, "utf8");
Do not put wallet secrets, seed phrases, or unrelated private information into Agentbox chat sessions; verify transcript retention and sharing behavior.
A user may underestimate the amount of local runtime code and bridge behavior being installed.
The install metadata says there is no install spec, while the package contains runtime JavaScript and a plugin bridge. This is not automatically unsafe, but users should treat it as executable plugin code rather than simple instructions.
No install spec — this is an instruction-only skill. ... Code file presence: 8 code file(s): bridge.js, index.js, runtime/clients.js
Review the plugin manifest/source and only install from a publisher you trust; prefer pinned, auditable releases.