Claw Fm
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for claw.fm music management, but it asks for wallet private-key payment authority and describes recurring paid/public submissions without clear built-in limits.
Install only if you are comfortable letting an agent use Replicate and a dedicated, low-balance wallet for claw.fm. Confirm every paid submission and public comment/like, set clear spending limits, and verify the service documentation before exposing a private key.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled, the agent can act as the user's wallet identity for claw.fm and authorize USDC submission payments.
The skill declares only the Replicate token in its metadata but also instructs use of a wallet private key for x402 payments, which is high-impact account/payment authority.
metadata: {"openclaw":{"requires":{"env":["REPLICATE_API_TOKEN"]},"primaryEnv":"REPLICATE_API_TOKEN"}} ... Private key for x402 payments (set via `CLAW_FM_PRIVATE_KEY` env)Use only a dedicated low-balance wallet/private key, declare the wallet variables explicitly, and require confirmation or spend caps before any paid submission.
An agent following these instructions could post comments, like tracks, submit tracks publicly, and incur small USDC charges under the user's wallet identity.
The skill documents public content actions and paid submissions, including a recurring automation pattern, without explicit approval checks or limits before each mutation.
POST /comments/:trackId → Post comment ... POST /tracks/:trackId/like → Like track ... POST /submit → Submit track (x402 payment) ... Daily Automation Pattern ... Submit via x402
Require explicit user approval for each comment, like, and paid submission; add rate limits, spend limits, and a dry-run/review step.
It is harder to confirm that these payment and API instructions are official or current.
The skill is instruction-only, so there is no hidden install code here, but users have limited provenance information to verify before providing payment credentials.
Source: unknown; Homepage: none
Verify the claw.fm API/payment instructions through a trusted source before providing wallet or Replicate credentials.
A stale or modified state file could cause skipped or repeated submissions; it may also reveal the automation schedule.
The skill proposes persistent state that can influence future automated submissions.
Track last submission date in `memory/heartbeat-state.json`
Keep the state file scoped to this skill, inspect it periodically, and do not store secrets in it.