Lawb Chess
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its wagered-chess purpose, but it asks agents to use a crypto wallet for token approvals and wagers without clear spending limits, confirmation steps, or contract provenance.
Use this only if you intentionally want to wager real crypto. Prefer a fresh low-balance wallet, verify all contract addresses independently, set exact small allowances, and require manual confirmation for every transaction before letting an agent create or join games.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent following the skill could approve or spend crypto tokens for wagers, and on-chain actions may be irreversible and cost gas.
This directs the agent/user to approve token spending and create a wagered game, which can move or lock real assets; the provided text does not show explicit user confirmation, spending caps, or allowance-safety requirements.
For ERC20: first `approve(chessContract, wagerAmount)` on the token contract, then call `createGame`
Require explicit human confirmation before every wallet transaction, show the chain, contract, token, amount, allowance, and gas estimate, and enforce small exact allowances and user-defined wager limits.
Using a normal wallet could expose funds to accidental wagers, unwanted approvals, or transactions on the wrong chain/token.
The skill requires wallet-signing authority and access to funds, but the artifacts do not clearly scope which wallet may be used, how much value may be risked, or how signing authority is protected.
- EVM-compatible wallet with signing capability - Gas tokens: ETH (Base/Arbitrum) or DMT (Sanko) - Wager tokens: any supported token on the chosen chain
Use a dedicated low-balance wallet, revoke unused allowances, and do not let the agent access a primary wallet or sign transactions without manual review.
If the contract addresses or protocol details are wrong or unverified, funds could be sent to or approved for an unsafe contract.
The skill tells users to interact financially with specific contracts, while the supplied package metadata lists the source as unknown and no homepage, and the artifact does not provide ABI, verification, audit, or provenance details.
### Chess Contract Addresses | Base | `0x06b6aAe693cf1Af27d5a5df0d0AC88aF3faC9E11` | | Sanko | `0x4a8A3BC091c33eCC1440b6734B0324f8d0457C56` |
Verify contract addresses, source code, ABI, and deployment provenance on official project channels and block explorers before using real funds.
Game state and wallet addresses may be visible or influenced through the shared real-time database, depending on Firebase rules not shown in the artifacts.
The skill relies on shared Firebase state between players and spectators; this is expected for real-time chess, but shared external state can expose wallet/game information and should be treated as untrusted unless authenticated and validated.
Both players subscribe to `chess_games/{inviteCode}` for real-time updates.Avoid placing private information in game records, validate moves locally and on-chain where possible, and confirm the Firebase database has proper authentication and write rules.