ClawHub
Back to skill
v1.0.0

Configure Postparams

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:43 AM.

Analysis

This instruction-only skill is purpose-aligned, but it helps prepare blockchain transactions that users should review carefully before signing.

GuidanceInstall only if you intend to configure Art Blocks PostParams. Have the agent show the discovered parameters and proposed values, then review the wallet signing prompt carefully before approving any transaction.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
build_configure_postparams_transaction(tokenId, values, chainId?, signerAddress?) ... Returns an unsigned transaction object ready to sign and submit.

The skill instructs the agent to build a blockchain transaction; this is purpose-aligned and unsigned, but it can have real on-chain effects if the user later signs and submits it.

User impactIf signed, the transaction can change configurable on-chain visual parameters for an Art Blocks token and may cost gas or revert if unauthorized.
RecommendationBefore signing, verify the token ID, chain, parameter names, values, authorization role, and wallet prompt details.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
Always pass `signerAddress` when known — needed to determine artist status and validate authorization

The workflow depends on the user's wallet address and role to decide whether a parameter can be configured; this is expected for on-chain authorization and does not request private keys.

User impactThe transaction will only be effective from a wallet authorized by the token or project rules; using the wrong wallet may fail or produce the wrong authorization context.
RecommendationUse only the intended wallet address, confirm the role shown by the tool, and never provide seed phrases or private keys.