Clanker
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: clanker Version: 1.0.0 This skill is classified as suspicious due to its inherent high-risk nature, requiring and directly handling blockchain private keys to sign transactions that can spend real ETH for token deployment and liquidity provision. While the skill provides explicit warnings about private key security and appears to follow best practices for its stated purpose (deploying ERC20 tokens on Base), the direct interaction with private keys and potential for real financial loss elevates it beyond benign. There is no evidence of intentional malicious behavior like data exfiltration or unauthorized remote control, but the core functionality itself carries significant risk, primarily involving `scripts/clanker.sh` and `scripts/deploy.py`.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or scripts misuse this key, the wallet can spend funds, deploy contracts, or make irreversible blockchain transactions.
The skill requires a wallet private key that can authorize blockchain transactions. This is high-impact account authority, especially because the supplied registry requirements list no primary credential or required config path.
Create a config file at `~/.clawdbot/skills/clanker/config.json` ... "private_key": "YOUR_PRIVATE_KEY"
Use a dedicated burner wallet with minimal funds, prefer testnet first, and require the skill metadata to explicitly declare the private-key/config requirement.
A mistaken or autonomous invocation could spend real ETH and publish an irreversible token deployment.
The documented mainnet deployment command can spend ETH and create a public token. The visible instructions do not clearly describe a confirmation gate, spending limit, or safe default to prevent unintended mainnet transactions.
clanker.sh deploy "My Token" MYT 0.1 ... Deploys an ERC20 token with 0.1 ETH initial liquidity on Uniswap V4.
Require explicit user confirmation for every mainnet transaction, default to testnet where possible, and show the target network, contract, gas, and ETH value before signing.
A dependency change or compromised package source could affect deployment behavior in the local environment.
Installing web3 is expected for this blockchain deployment skill, but the dependency is unpinned and not captured in an install spec or lockfile.
For token deployment, install web3 Python package: `pip install web3`
Install in a virtual environment and prefer pinned, reviewed dependency versions.