OpenFunderse Strategy
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill needs review because it asks for a blockchain private key and includes asset-moving and daemon submission commands that go beyond its stated allocation-only role.
Install only if you intend to run a broader blockchain participant/vault bot, not just allocation validation. Review the npm package first, use a fresh low-value dedicated wallet, keep explicit-submit requirements enabled, avoid auto-submit/daemon mode until tested, and back up OpenClaw configuration before running install or bot-init.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may install this expecting only allocation handling, but the skill also documents financial vault operations.
The narrow 'AllocationClaimV1 only' framing is contradicted by documented vault commands that can move assets when submitted.
Participant role proposes and validates `AllocationClaimV1` only. ... `/deposit --amount <wei> ... [--submit]` ... `/withdraw --amount <wei> ... [--submit]` ... `/redeem --shares <wei> ... [--submit]`
Treat the skill as a broader fund/vault operations bot unless the extra commands are removed or clearly documented in the description and metadata.
If the key is over-funded, reused, exposed, or misused by the runtime, funds or on-chain permissions tied to that wallet could be affected.
The skill requires a blockchain signing key. That is expected for a participant bot, but it is high-impact authority and is paired with submit-capable allocation and vault actions.
`PARTICIPANT_PRIVATE_KEY` is highly sensitive. Use a dedicated wallet key for this bot; never reuse treasury/admin keys.
Use only a fresh dedicated wallet with minimal funds and permissions, never a treasury/admin key, and verify every submit-capable action before enabling it.
A misconfigured or overly autonomous daemon could submit repeated allocation actions without the user noticing each one.
The documented daemon can run repeatedly and includes a submit mode, but the artifact does not show clear bounds such as duration, stop conditions, or per-submit confirmation.
`/participant_daemon --fund-id <id> --strategy <A|B|C> [--interval-sec <n>] [--epoch-source <relayer|fixed>] [--epoch-id <n>] [--submit]`
Keep auto-submit disabled unless necessary, require explicit confirmation for submissions, and run daemons only with clear stop conditions and monitoring.
Installing it means trusting external package code with sensitive bot setup and signing-key handling.
The skill relies on npm-fetched runtime code that is not included in the reviewed artifacts; this matters because the runtime is expected to handle wallet keys and OpenClaw configuration.
Installing via `npx @wiimdy/openfunderse@2.0.0 ...` executes code fetched from npm. Prefer pinning a known version (as shown) and reviewing the package source before running in production.
Review the exact npm package source and integrity before installation, pin the version, and test in an isolated environment with a low-value wallet.
Setup could change shared runtime configuration or restart the gateway, potentially disrupting other OpenClaw skills.
The skill explicitly discloses global OpenClaw configuration changes and gateway restart behavior, which can affect more than this one skill.
By default, `install` and `bot-init` also sync env vars into `~/.openclaw/openclaw.json` and `bot-init` runs `openclaw gateway restart`. This mutates global OpenClaw runtime state and can affect other skills.
Back up ~/.openclaw/openclaw.json first and use --no-sync-openclaw-env or --no-restart-openclaw-gateway when you want file-only or no-restart behavior.