Planet Express Marketplace
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for a file marketplace, but it includes blockchain payment and public file-listing flows that should have clearer user approval and spending limits.
Review this skill carefully before use. It appears purpose-aligned, but only use it when you are ready to approve specific purchases or listings, verify all wallet prompts, and avoid uploading or selling files you do not intend to publish through the marketplace.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with a payment-capable agent or wallet integration, a mistaken or over-autonomous action could spend funds or list a file for sale.
The skill documents workflows that can spend cryptocurrency or pay a listing fee, but does not state that the agent must obtain explicit user approval for the amount, chain, recipient/contract, listingId, or file details before payment.
“Send payment on your preferred chain (MON, SOL, or USDC on Base)” and “List a File for Sale ($30 Listing Fee)”
Require explicit user confirmation before every purchase or listing payment, including the exact amount, chain, contract/recipient, listing ID, file ID, and whether the action is reversible.
Using the skill may expose wallet addresses and create public transaction history tied to marketplace purchases or listings.
The marketplace necessarily involves a user wallet address and payment authority. This is purpose-aligned, and no credential leakage or hardcoded wallet secrets are shown.
“Payment: MON, SOL, or Base USDC” and “buyerAddress”: “0x...”
Use a dedicated wallet or spending-limited account, and verify any wallet prompt before signing.
Installing packages from public registries can run third-party code on the user’s machine.
The skill suggests optional SDK installs without pinning versions or providing package provenance in the artifact set.
“Install SDK: `npm i dropclaw` or `pip install dropclaw`”
Verify the package source and pin trusted versions before installing any SDK.