ape-claw
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill can install an unreviewed crypto CLI and let an agent sign wallet transactions, including an autonomous NFT-buy mode, so it needs careful review before use.
Install only if you trust and have reviewed the ApeClaw CLI source. Use a dedicated wallet with minimal funds, never expose a main wallet private key, avoid the autonomous buy mode by default, and require explicit per-transaction approval for buys or bridges.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running this command gives remote code control over the local environment before the user can verify what it does.
The skill asks users to execute an unpinned remote installer from GitHub, but no code or install spec is provided for review in the artifact set.
curl -fsSL https://raw.githubusercontent.com/simplefarmer69/ape-claw/main/install.sh | bash
Review and pin the installer/CLI source before running it, prefer a signed package or reviewed release, and avoid pipe-to-bash installs for wallet-connected tooling.
If the private key is exposed or misused, funds or NFTs in that wallet could be spent or moved.
The execute path needs a wallet private key capable of signing purchases or bridge transactions, while the registry metadata lists no required env vars or primary credential.
| `APE_CLAW_PRIVATE_KEY` | Any `--execute` path (buy or bridge) |
Use only a dedicated low-balance wallet, set strict spend limits, avoid storing a main wallet private key in the agent environment, and require explicit approval for each transaction.
An agent with wallet credentials could buy NFTs without the user manually confirming the exact collection, token, and price at execution time.
The documented recommended bot path executes a purchase autonomously and says it internally generates the confirm phrase, which can bypass a clear human confirmation step.
Autonomous one-command execute (recommended for bots): ... $CLI nft buy --quote <quoteId> --execute --autonomous --json
Disable or avoid autonomous execution unless strong external limits are in place; require a user-visible quote, simulation result, exact confirm phrase, and final approval before every purchase or bridge.