Clanker
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or scripts misuse this key, the wallet can spend funds, deploy contracts, or make irreversible blockchain transactions.
The skill requires a wallet private key that can authorize blockchain transactions. This is high-impact account authority, especially because the supplied registry requirements list no primary credential or required config path.
Create a config file at `~/.clawdbot/skills/clanker/config.json` ... "private_key": "YOUR_PRIVATE_KEY"
Use a dedicated burner wallet with minimal funds, prefer testnet first, and require the skill metadata to explicitly declare the private-key/config requirement.
A mistaken or autonomous invocation could spend real ETH and publish an irreversible token deployment.
The documented mainnet deployment command can spend ETH and create a public token. The visible instructions do not clearly describe a confirmation gate, spending limit, or safe default to prevent unintended mainnet transactions.
clanker.sh deploy "My Token" MYT 0.1 ... Deploys an ERC20 token with 0.1 ETH initial liquidity on Uniswap V4.
Require explicit user confirmation for every mainnet transaction, default to testnet where possible, and show the target network, contract, gas, and ETH value before signing.
A dependency change or compromised package source could affect deployment behavior in the local environment.
Installing web3 is expected for this blockchain deployment skill, but the dependency is unpinned and not captured in an install spec or lockfile.
For token deployment, install web3 Python package: `pip install web3`
Install in a virtual environment and prefer pinned, reviewed dependency versions.