TixFlow
ReviewAudited by ClawScan on May 10, 2026.
Overview
TixFlow mostly contains demo event-ticket code, but it advertises automatic ticket purchases, NFT minting, wallet use, and calendar actions without clear confirmation or credential boundaries.
Treat this as a demo/unfinished ticketing skill unless the author clearly documents live transaction handling. Do not enable API keys, wallet access, calendar writes, or ticket purchases without requiring explicit confirmation for each action and verifying whether the returned ticket is real.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could treat ticket buying or account-affecting event actions as pre-authorized, especially if live APIs are connected later.
This pairs a high-impact ticket-purchase capability with automatic agent operation, but the artifacts do not define confirmation, spend limits, cancellation rules, or user approval before purchase-related actions.
🎫 **Smart Booking** - Purchase tickets across platforms ... 🤖 **AI Agent Power** - Let your agent handle everything automatically
Require explicit user confirmation for purchases, wallet actions, calendar writes, and waitlist joins; document spending limits, final review steps, and rollback or cancellation behavior.
A user might believe a ticket was purchased or minted when the skill only produced a mock result.
This response template states that a real purchase and NFT mint have completed, while the included implementation elsewhere returns mock/demo transaction and ticket IDs. That mismatch can mislead users about whether they actually have a valid ticket.
ticketPurchased: (eventName: string) => `Great news! Your ticket for ${eventName} has been purchased and minted as an NFT!`Make demo status explicit in all purchase responses, and only use real purchase-success wording after a verified live transaction from the ticketing provider.
If live integrations are added, the skill may interact with ticketing, NFT, or wallet-related accounts using user-provided credentials.
CrossMint credentials and wallet connection management are sensitive account capabilities. They fit the ticketing/NFT purpose, but the artifacts do not clearly bound what wallet operations are allowed or how these credentials are used.
"crossmint_api", "required_env": ["CROSSMINT_API_KEY", "CROSSMINT_COLLECTION_ID"] ... "solana_wallet", "description": "Detect and manage user wallet connections"
Document exactly which credentials are required, what permissions they need, and what wallet actions are permitted; use least-privilege API keys and require confirmation before any wallet-affecting operation.
Installing the package may pull a newer compatible version of the Google API library than the author tested.
The skill depends on an external npm package with a semver range. This is expected for Google Calendar integration, and there is no install script shown, but dependency resolution is not pinned by a lockfile in the provided artifacts.
"dependencies": { "googleapis": "^120.0.0" }Pin dependencies with a lockfile or exact version and keep the install metadata consistent with the package contents.
If implemented live, the skill could continue monitoring events or sending notifications after the initial request.
Default notification preferences imply ongoing monitoring or future autonomous updates. This is aligned with event waitlist and price-monitoring features, but the artifacts do not show lifecycle controls such as opt-in, stop, or expiration behavior.
"notification_preferences": { "price_drops": true, "event_changes": true, "waitlist_updates": true }Make monitoring opt-in, show users how to stop it, and define retention and expiration rules for waitlists and notifications.