POIDH Bounty Bot
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is coherent for Poidh bounties, but it asks an agent to use a raw wallet private key and make irreversible on-chain bounty/payment decisions, so it needs careful review.
Only use this skill with a dedicated wallet funded just for the intended bounty. Before any signed transaction, manually confirm the chain, contract address, amount, bounty ID, and chosen winner. Treat claim URLs and documents as untrusted content, and do not let the agent accept or vote on a claim without your explicit approval.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent, environment, or command usage is wrong, wallet funds could be spent or moved through irreversible transactions.
The skill requires a raw EOA private key for signing blockchain transactions. That credential can control the wallet broadly, not just this protocol.
`PRIVATE_KEY` | Private key of the EOA signing transactions ...
Use only a dedicated low-balance wallet for this skill, never a main wallet, and confirm the chain, contract, amount, and action before any signed transaction.
A mistaken or premature agent action could post a bounty, lock funds, accept a claim, or initiate/resolve a vote on-chain.
The workflow uses raw transaction-sending CLI commands with a private key and value. The provided content shows high-impact actions but not a hard approval gate before sending them.
cast send $POIDH_CONTRACT_ADDRESS ... --value <AMOUNT> ... --private-key $PRIVATE_KEY --rpc-url $RPC_URL
Require explicit user approval immediately before every `cast send`, including amount, chain, contract address, bounty ID, candidate winner, and expected effect.
A malicious claim page or document could try to steer the agent toward choosing a winner or taking actions unrelated to the bounty.
The skill intentionally feeds arbitrary claimant-controlled web content into the agent's evaluation process. Such content could contain instructions that try to influence the agent before a payment decision.
Claim submissions are freeform — the URI could point to an image, a video, a tweet, a GitHub PR, a webpage, a document, or anything else. Evaluate whatever you find against what the bounty asked for.
Treat all claim content as untrusted evidence only, ignore instructions inside it, and require human review before accepting or voting on a winner.
Users have limited external context for verifying the skill's authorship or intended behavior.
There is no upstream source or homepage to verify, and no packaged code to inspect beyond the instructions. This is not malicious by itself, but provenance matters more for a wallet-signing workflow.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Review the instructions carefully and independently verify contract addresses and Poidh documentation before use.