Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
This event-ticket skill is mostly demo/mock code, but it advertises automatic real ticket purchases, wallet/API access, and success confirmations without clear approval or scope.
Treat this as a prototype unless the author clarifies the real ticketing, wallet, and calendar flows. Do not connect real payment, wallet, CrossMint, or calendar credentials until the skill requires explicit approval before purchases, clearly labels demo results, documents credential scopes, and explains how waitlist/notification data is stored and removed.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could believe they have a valid event ticket or calendar booking when the skill only produced mock results.
The implementation says it would integrate later and returns mock IDs, but the response template states that a real ticket was purchased and minted. This could cause a user to trust that a booking succeeded when it did not.
// Would integrate with KYD Labs protocol ... return { success: true, transactionId: "mock_tx_signature", ticketId: "mock_nft_mint" } ... `Great news! Your ticket for ${eventName} has been purchased and minted as an NFT!`Keep demo/mock results clearly labeled in every path, and only claim a ticket was purchased or calendar event was created after a verified provider response.
If connected to real ticketing APIs, an agent could attempt purchases or bookings without clear user approval boundaries.
Purchasing tickets is a high-impact action, but the skill text does not describe mandatory user confirmation, price limits, quantity limits, or review before booking.
🎫 **Smart Booking** - Purchase tickets across platforms ... 🤖 **AI Agent Power** - Let your agent handle everything automatically
Require explicit user confirmation before any purchase, waitlist signup, minting, or calendar mutation, and document spending/quantity limits and cancellation behavior.
Connecting real wallet or minting credentials could grant the skill sensitive account authority that is broader than a user expects.
The skill claims access to minting credentials and wallet connection management, but the artifacts do not bound what wallet access means, what scopes are needed, or how user consent is enforced.
"crossmint_api", "description": "Mint cNFT tickets on Solana via CrossMint", "required_env": ["CROSSMINT_API_KEY", "CROSSMINT_COLLECTION_ID"] ... "solana_wallet", "description": "Detect and manage user wallet connections"
Declare all required credentials consistently, request the minimum scopes, avoid wallet management beyond user-provided wallet addresses unless explicitly approved, and document exactly what each credential can change.
A user's wallet address or notification preferences may be retained for waitlist monitoring if a real backend is added.
The waitlist feature is purpose-aligned, but it implies persistent storage of wallet/contact preference data and ongoing monitoring without describing retention, deletion, or reuse limits.
async function addToWaitlist(params) { const { eventId, walletAddress, notificationMethod } = params; ... // In production, this would store in database and monitor for availabilityDocument where waitlist data is stored, how long it is retained, how users can remove it, and ensure stored data is not reused across unrelated tasks.
Future installs may pull a different dependency version than the one the author tested.
The Google APIs package is purpose-aligned for calendar functionality, but the caret version range can install future dependency versions that were not reviewed in these artifacts.
"dependencies": { "googleapis": "^120.0.0" }Pin dependencies or provide a lockfile, and keep install metadata consistent with the packaged code.