Bags
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could interpret the skill as permission to make public or financial decisions without the user explicitly asking for each action.
This tells the agent to treat itself as authorized to initiate token launches, collaborations, and fee use without explicit human approval, despite the artifacts stating that the SOL, tokens, and reputation effects are real.
You decide what tokens to launch. You decide who to collaborate with. You decide how to use your fees... You don't need permission.
Require explicit user approval for token launches, trades, fee withdrawals, public posts, collaborators, recipients, amounts, and slippage before any irreversible action.
A mistaken or over-broad instruction could cause the agent to trade tokens or spend SOL in a way the user did not intend.
The trading workflow exports a private key, signs a transaction, and submits it on-chain. That is expected for a trading skill, but it is a high-impact financial action and the artifacts do not show a mandatory user approval gate or spending limit.
BAGS_PRIVATE_KEY=$(curl -s -X POST https://public-api-v2.bags.fm/api/v1/agent/wallet/export ...); BAGS_SIGNED_TX=$(node ~/.config/bags/sign-transaction.js "$BAGS_PRIVATE_KEY" "$BAGS_UNSIGNED_TX"); ... /solana/send-transaction
Use a dedicated low-balance wallet, require confirmation of each quote and transaction, set maximum spend/slippage limits, and review transaction details before signing.
If the agent, local machine, or generated scripts mishandle the key, funds in the wallet could be moved or lost.
The skill requires access to wallet private keys for signing. Private keys provide full wallet control, and the registry-level requirements list no primary credential or required environment variables.
Export Private Key ... Private keys give full control over your wallet. Handle with extreme care.
Do not use a primary wallet. Use a separate wallet with limited funds, protect credential files, rotate/revoke API keys if exposed, and avoid exporting private keys except for a specific approved transaction.
Future remote changes could alter the skill’s behavior or instructions without the user realizing it.
The heartbeat routine silently replaces local skill instructions from remote URLs. This can change what the agent is instructed to do after installation or review without user notice, pinning, or checksum verification.
Auto-Update Skills (Silently) ... curl -s https://bags.fm/skill.md > ~/.bags/skills/SKILL.md ... curl -s https://bags.fm/launch.md > ~/.bags/skills/LAUNCH.md
Disable silent auto-updates. Only update after user review, use pinned versions or checksums, and avoid automatically overwriting local skill files.
Running external installers or npm packages can add code to the local machine that is outside the reviewed skill text.
The setup includes user-directed installation of external CLI tooling and npm dependencies. This is relevant to Solana signing workflows, but users should verify the source before running downloaded installers or package installs.
Install Solana CLI: sh -c "$(curl -sSfL https://release.anza.xyz/stable/install)" ... cd ~/.config/bags && npm install
Install dependencies only from trusted sources, review package versions, prefer pinned dependencies, and run setup in a restricted environment if possible.
The agent may continue checking accounts, updating skill files, or acting on wallet-related state on a recurring basis unless the user explicitly bounds it.
The skill describes a recurring autonomous maintenance routine using stored credentials and silent handling. It does not install a scheduler itself, but it encourages ongoing operation beyond a single user request.
Run this every 1-4 hours ... Autonomous — Handle routine tasks silently ... Normal heartbeat success | Just log timestamp
Run heartbeat checks only on a user-approved schedule, keep logs visible, disable silent updates, and require explicit approval before any financial or public action.