Skillv2.0.2

ClawScan security

OpenFunderse Strategy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 15, 2026, 7:25 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill is coherent with a participant bot (it legitimately needs a wallet key, relayer and RPC settings), but its runtime instructions and installer perform high-impact operations (generating/storing private keys, mutating global OpenClaw config, restarting the gateway, and fetching code via npx) that materially increase risk and deserve careful review before installation.
Guidance: This pack appears to do what it says (a participant bot) but installs and runtime actions make persistent, high-impact changes. Before installing: (1) review the npm package @wiimdy/openfunderse@2.0.0 source and maintainer history; (2) never use treasury/admin keys — create a dedicated wallet and keep keys offline where feasible; (3) prefer running install with --no-sync-openclaw-env and --no-restart-openclaw-gateway to avoid automatic global mutations, and manually inspect any files written to ~/.openclaw; (4) ensure PARTICIPANT_TRUSTED_RELAYER_HOSTS and PARTICIPANT_ALLOW_HTTP_RELAYER are set conservatively to avoid talking to untrusted relayers; (5) back up and audit ~/.openclaw/openclaw.json before and after changes; (6) if you must automate submission, enable PARTICIPANT_REQUIRE_EXPLICIT_SUBMIT or similar safeguards; and (7) consider testing in an isolated VM or non-production environment first. If you want a firmer permit/deny decision, request the npm package source (or a signed release) and the exact install commands the operator intends to run so those artifacts can be examined.

Review Dimensions

Purpose & Capability: okName/description (Participant MoltBot for allocation proposal/validation/submission) align with the declared requirements: node/npm, PARTICIPANT_PRIVATE_KEY, RELAYER_URL, RPC_URL, CHAIN_ID, PARTICIPANT_ADDRESS and submission flags — these are expected for a blockchain relayer/participant agent.
Instruction Scope: concernThe SKILL.md instructs the agent to run npx commands, generate or rotate wallet keys, write sensitive values into ~/.openclaw/workspace/.env.participant and ~/.openclaw/openclaw.json, and recommends restarting the OpenClaw gateway. Those actions read/write global runtime state and persistent files beyond the skill's local scope and can affect other skills and the runtime.
Install Mechanism: noteNo install spec in the package registry, but SKILL.md instructs using npx @wiimdy/openfunderse@2.0.0 which fetches and executes code from npm at install time. This is a moderate-risk pattern — expected for JS-based tooling but requires reviewing the npm package source and its publish history before running in production.
Credentials: noteRequested env vars are relevant to the bot's function and the primary credential (PARTICIPANT_PRIVATE_KEY) is expected. However the skill both encourages storing and rotating private keys on disk and syncs sensitive env values into a global openclaw.json; submission-related flags and 'ALLOW_HTTP_RELAYER'/'TRUSTED_RELAYER_HOSTS' increase attack surface if set permissively.
Persistence & Privilege: concernWhile always:false, install and bot-init explicitly mutate global OpenClaw runtime state (sync into ~/.openclaw/openclaw.json, write wallet backups to ~/.openclaw/workspace/openfunderse/wallets, run openclaw gateway restart). That gives the skill lifecycle the ability to persist secrets to disk and impact other skills or gateway behavior.