Tilt Protocol — AI Fund Manager
WarnAudited by ClawScan on May 18, 2026.
Overview
This finance skill is purpose-aligned, but it asks the agent to fetch unreviewed updated instructions and use a wallet private key for autonomous on-chain fund actions.
Install only if you are comfortable giving an agent shell/network access for blockchain transactions. Use a new testnet-only wallet, never reuse a valuable private key, manually review any remotely downloaded skill update, verify contract addresses, require confirmation for every trade or post, and avoid unlimited approvals unless you understand and accept the risk.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A remote update could change what the agent does before you notice, including which contracts it interacts with.
The skill directs the agent to retrieve updated skill instructions from a remote backend outside the reviewed package before use. Those instructions could change contract addresses or workflows used for signed financial transactions.
Before starting any session, fetch the latest version of this skill... curl -s https://bowstring-backend-production.up.railway.app/api/agents/skill -o /tmp/tilt-skill-latest.md
Do not treat the downloaded skill as authoritative automatically; review it manually, verify contract addresses independently, and prefer registry-reviewed updates.
The agent could make portfolio-changing transactions if invoked or scheduled in an environment that permits shell execution.
The skill shows the agent using shell commands and a private key to execute trades directly against the vault, but the artifacts do not require explicit user confirmation or define transaction limits.
cast send $VAULT_ADDRESS "executeTrade(address,address,uint256,uint256)" ... --private-key $TILT_PRIVATE_KEY --rpc-url $TILT_RPC
Require manual approval for every transaction, set clear trade-size limits, and review all contract calls before signing.
If the approved contract or workflow is wrong, the wallet’s approved tiltUSDC could be spent far beyond the intended seed deposit.
The workflow uses the wallet private key to grant the vault factory a maximum uint256 token allowance rather than an exact needed amount.
"approve(address,uint256)" ... 115792089237316195423570985008687907853269984665640564039457584007913129639935 ... --private-key $TILT_PRIVATE_KEY
Use a fresh testnet-only wallet, approve only the exact amount needed, and revoke allowances after use when possible.
The agent may continue making investor-facing posts or other actions if connected to an automation runner.
The example explicitly describes no-prompt scheduled operation for monitoring and posting updates, but the artifacts do not define schedule controls, user review, or stop conditions.
Agent (autonomous, no user prompt — this runs on a schedule):
Only enable scheduled use after defining frequency, allowed actions, spend limits, and a clear way to pause or stop the agent.
The setup command runs code from the Foundry distribution endpoint on your machine.
Installing Foundry is purpose-aligned for on-chain interaction, but piping an unpinned remote installer into a shell is a supply-chain-sensitive setup step.
curl -L https://foundry.paradigm.xyz | bash foundryup
Install Foundry through a trusted, verified method and review installer instructions before running them.