DECK-0
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a transparent DECK-0 integration, but it can use a crypto wallet or private key to sign requests and spend funds on-chain.
Install only if you are comfortable letting an agent interact with a crypto wallet for DECK-0. Use a dedicated wallet with limited funds, prefer runtime wallet approval prompts over raw private keys, and require explicit confirmation before any transaction that spends APE or ETH.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the private key is exposed or misused, the associated wallet could sign actions or transactions the user did not intend.
The skill uses a raw wallet private key as a fallback signer. This is expected for the stated wallet and transaction workflows, and the artifact explicitly warns not to log it.
`DECK0_PRIVATE_KEY` is highly sensitive. Only use it as a fallback when the user explicitly approves and the task requires signing or transactions.
Prefer runtime wallet signing when available, use a dedicated low-balance wallet, set DECK0_PRIVATE_KEY only when needed, and never paste or print the key.
Buying packs can irreversibly spend APE or ETH and change wallet-owned assets on-chain.
The documented buy flow sends a payable smart-contract transaction using the wallet private key. This is purpose-aligned for buying packs, but it can spend native tokens.
cast send "$contract" "mintPacks(address,uint256,uint256,uint256,bytes,bytes32)" ... --value "$value" --private-key "$DECK0_PRIVATE_KEY"
Before any buy/open action, confirm the collection address, chain, quantity, total payment, gas cost, and recipient wallet with the user.