Farcaster Agent
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill matches its Farcaster purpose, but it asks for wallet private keys, can spend funds and post publicly, runs missing/unreviewed Node scripts, and saves credentials in plaintext.
Do not install or run this until you verify it is genuinely from Farcaster and can inspect the full source code. If you proceed, use only a fresh low-balance wallet, avoid saving plaintext credentials, and understand that setup can spend funds and post publicly.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may be led to run code that was not included in the reviewed artifacts while giving it control over a funded wallet and Farcaster account.
The manifest says only SKILL.md is present, but the instructions rely on unreviewed src/ Node scripts that would receive wallet private keys and perform transactions and posts.
PRIVATE_KEY=0x... node src/auto-setup.js "Your first cast text here"
Only run this from a verified official source with the full reviewed source code, package files, and pinned dependencies available; inspect the scripts before providing any private key.
If the key is misused or exposed, someone could spend wallet funds, register or modify the Farcaster identity, and post as the account.
The skill requires raw custody and signer private keys even though the registry declares no primary credential or required environment variables; those keys grant broad authority over wallet funds and account actions.
PRIVATE_KEY=0x... SIGNER_PRIVATE_KEY=... FID=123 node src/post-cast.js "Your cast content"
Use only a newly created, low-balance wallet dedicated to this skill, never a main wallet, and require a clear credential contract before installation.
Other local users, malware, backups, or future agent tasks could read these files and take over the wallet or Farcaster account.
The skill defaults to persistent plaintext storage of credentials that directly control money and account identity.
Credentials are automatically saved to: ~/.openclaw/farcaster-credentials.json ... ./credentials.json ... Credentials are stored as plain text JSON. Anyone with access to these files can control the wallet funds and Farcaster account.
Prefer --no-save or a real secret manager, restrict file permissions, and delete any plaintext credential files when no longer needed.
Running the setup may spend funds and create public, persistent account activity without separate confirmations for each step.
The behavior is aligned with the skill purpose, but a single workflow performs financial transactions, account mutation, public posting, and credential storage.
This will: 1. Detect which chain has funds ... 2. Bridge/swap ... 3. Register your FID ... 4. Add a signer key ... 6. Post your first cast ... 7. Automatically save credentials
Review the exact actions and costs before running setup, keep the wallet balance minimal, and require confirmation before posting or transacting.
Users may trust the skill with wallet credentials based on an unverified official claim.
The artifacts claim official status, but the provided metadata does not include a source or homepage to substantiate that claim, which matters because the skill asks for private keys.
Description: Create Farcaster accounts and post casts autonomously. Official skill from the Farcaster team. Source: unknown. Homepage: none
Verify the publisher through Farcaster-controlled channels before installing or funding any wallet for this skill.