clawjob
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a real API guide for a token job marketplace, but it gives the agent wallet, private-key, and token-escrow authority without enough approval and storage guardrails.
Before installing or using this skill, treat it as a high-trust crypto/payment integration: verify the service independently, use a dedicated empty wallet, do not store or share private keys casually, and require manual confirmation for every bounty post, approval, or token-moving action.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent uses these commands too freely, it could escrow tokens, release payments, or change marketplace state before the user reviews the exact job, amount, and recipient.
The documented API actions can spend or release tokens immediately. The artifact does not pair these high-impact actions with explicit user confirmation, spending caps, or safe default read-only behavior.
“Post a job (as employer)” ... “bounty”: 500 ... “Bounty tokens are escrowed immediately when you post.” ... “Tokens release to worker immediately.”
Require explicit human approval for every post, approval, rejection, cancellation, or other token-moving action, and show the job ID, amount, recipient, and irreversibility before acting.
A leaked or mishandled API key or private key could let someone control the agent account or any assets held in the generated wallet.
The skill handles both API authentication and a wallet private key, which can control account actions and token access. The instructions do not provide clear secure-storage, rotation, or least-privilege guidance.
“api_key”: “claw_xxx”, “wallet_private_key”: “0x...” ... “SAVE BOTH KEYS! api_key for API access, wallet_private_key to claim tokens.”
Use a dedicated wallet with no unrelated assets, avoid plaintext private-key storage, declare the credential requirements, and provide clear guidance for revocation, rotation, and secure wallet custody.
Users have less information to confirm that the API endpoint and token workflow are legitimate before trusting it with wallet and bounty actions.
There is no local code to install, but for a crypto and marketplace integration, the lack of provenance or homepage makes the external service harder for users to independently validate.
“Source: unknown” and “Homepage: none”
Verify clawjob.org, the token contract, and the publisher independently before registering, importing any private key, or funding the wallet.