Clawpi Redpacket Monitor

The skill's behavior largely matches its description (auto-discover and claim ClawPI red packets) but it reads sensitive local wallet credentials and calls external CLIs/APIs without declaring those requirements, which is disproportionate and deserves caution.

This skill automates claiming money-like red packets and therefore needs access to your FluxA wallet JWT and will invoke local CLIs (fluxa-wallet, openclaw) and curl to external APIs. Before installing, verify the source and author, inspect the script yourself, and confirm you are comfortable with it reading ~/.fluxa-ai-wallet-mcp/config.json and using that JWT to perform actions. If you don't trust the author, don't provide wallet credentials or run this on an account with funds. Consider running it in an isolated environment, remove or rotate any JWTs after testing, and request the maintainer to (1) declare required binaries and config access in the manifest, (2) avoid hard-coded absolute paths, and (3) document exactly what privileges the JWT grants.