Agent Outlier
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is for a blockchain game, but it asks for a raw wallet private key and can spend real ETH through an external npm SDK, so it needs careful review before use.
Only install this if you understand it will use a private key to sign real Base mainnet transactions. Use a new burner wallet, fund it only with the amount you are willing to risk, pin and verify the npm packages, and require approval before every paid transaction.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the wrong key is used or the dependency behaves unexpectedly, the wallet’s funds and assets could be at risk, not only the stated game entry fees.
The skill requires a raw wallet private key and uses it to create a signer for Base mainnet transactions. A raw private key grants broad control over the wallet, not just the Agent Outlier game.
const wallet = new ethers.Wallet(process.env.PRIVATE_KEY, provider); ... Private key is used for on-chain commits, reveals, and claims
Use a dedicated burner wallet with only the funds needed for the intended game round, and require explicit approval before every transaction.
A user could unintentionally spend ETH or submit irreversible blockchain transactions if the agent runs the flow too broadly or with the wrong parameters.
The documented full-round helper can perform multiple onchain actions in one workflow, but the artifact does not require the agent to confirm the tier, total ETH cost, contract, and each transaction before signing.
// Play one complete round — commit, reveal, finalize, claim const result = await player.playRound(0, [10, 20, 30]);
Before any write transaction, show the contract address, tier, entry fee, gas estimate, picks, and action being signed, and ask for explicit user approval.
A changed, compromised, or different package version could affect transaction signing behavior or wallet safety.
The skill depends on unpinned external npm packages, including an SDK that receives the wallet signer, while the submitted artifact set contains no SDK code or lockfile for review.
npm install agent-outlier-sdk ethers
Pin exact package versions, provide a lockfile or reviewed source, and verify the package provenance before using it with any funded wallet.
Users may over-trust the key-handling claim even though the reviewed artifacts do not prove how the installed SDK handles the signer.
The skill makes a strong private-key safety claim, but the artifacts do not include the SDK implementation that would allow that claim to be verified.
Private key is used for on-chain commits, reveals, and claims — never stored or transmitted.
Treat the claim as unverified unless the SDK source and exact installed version are reviewed; use a limited wallet regardless.