Clanker
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
Clanker matches its token-deployment purpose, but it asks the agent to use wallet private keys and can spend real ETH on mainnet without those permissions being clearly declared or bounded.
Only use this with a new low-balance wallet, test on Base Sepolia first, verify the Clanker contract addresses from official sources, and manually approve any mainnet deployment or ETH-spending action before letting the agent run it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or scripts misuse this key, the wallet can spend funds, deploy contracts, or make irreversible blockchain transactions.
The skill requires a wallet private key that can authorize blockchain transactions. This is high-impact account authority, especially because the supplied registry requirements list no primary credential or required config path.
Create a config file at `~/.clawdbot/skills/clanker/config.json` ... "private_key": "YOUR_PRIVATE_KEY"
Use a dedicated burner wallet with minimal funds, prefer testnet first, and require the skill metadata to explicitly declare the private-key/config requirement.
A mistaken or autonomous invocation could spend real ETH and publish an irreversible token deployment.
The documented mainnet deployment command can spend ETH and create a public token. The visible instructions do not clearly describe a confirmation gate, spending limit, or safe default to prevent unintended mainnet transactions.
clanker.sh deploy "My Token" MYT 0.1 ... Deploys an ERC20 token with 0.1 ETH initial liquidity on Uniswap V4.
Require explicit user confirmation for every mainnet transaction, default to testnet where possible, and show the target network, contract, gas, and ETH value before signing.
A dependency change or compromised package source could affect deployment behavior in the local environment.
Installing web3 is expected for this blockchain deployment skill, but the dependency is unpinned and not captured in an install spec or lockfile.
For token deployment, install web3 Python package: `pip install web3`
Install in a virtual environment and prefer pinned, reviewed dependency versions.