Mint Club V2
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill can control a crypto wallet using a private key and perform irreversible trades, swaps, token creation, transfers, and auto-approvals through an unreviewed external CLI.
Treat this as a high-risk crypto wallet automation skill. Only use it with a dedicated low-balance wallet on Base, verify the npm CLI and package version yourself, and require manual confirmation for every trade, transfer, token creation, approval, slippage setting, and recipient address.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent, CLI, or any later command misuses this key, the user's crypto assets could be traded or transferred irreversibly.
The skill directs users to provide a raw wallet private key. That key can authorize all wallet spending, while the registry metadata declares no primary credential or required environment variable.
Set your private key: ```bash mc wallet --set-private-key 0x... # Or export PRIVATE_KEY=0x... ```
Use only a new, low-balance wallet for this skill; do not import a main wallet private key. The skill should declare the credential requirement and require explicit user approval before every transaction.
A mistaken or over-broad agent action could spend gas, swap into unwanted tokens, create assets, or transfer funds to the wrong address.
The documented commands allow the agent to trade, swap, create tokens, and send funds. These are high-impact financial actions, but the artifacts do not define mandatory confirmation, spending limits, recipient checks, or rollback controls.
mc buy <token> -a <amount> mc sell <token> -a <amount> mc swap -i ETH -o HUNT -a 0.001 mc create -n "My Token" -s MYT ... mc send <address> -a 0.01
Require human confirmation for every transaction, including token, amount, recipient, slippage, gas, and contract address. Prefer read-only use unless the user explicitly requests a specific transaction.
The agent may approve token spending or route swaps in ways the user did not inspect, potentially exposing funds to unintended allowances or unfavorable trades.
The CLI is documented as automatically managing wallet state, routing swaps, and approving ERC-20 allowances. Auto-approvals and routing are risky when combined with autonomous agent execution and no documented confirmation policy.
The CLI handles: - Wallet management (`~/.mintclub/.env`) - Auto swap routing (finds best V3/V4 path) - ERC-20 approvals (auto-approves when needed)
Disable or tightly gate automatic approvals where possible, inspect allowances after use, and require the user to approve the exact route and allowance before submitting transactions.
Users must trust code that was not included in the reviewed skill package to manage their private key and submit transactions.
The skill depends on an unpinned globally installed npm package, and the submitted artifacts contain no reviewed CLI source or install spec. This is especially material because the external CLI would handle the wallet private key and blockchain transactions.
npm install -g mint.club-cli
Pin the CLI version, provide an install spec or lockfile, review the package source before use, and avoid installing or running it with a high-value wallet.