Skill
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the API key is exposed or a wallet challenge is signed without review, someone could act as the agent on ClawPrint or create an unwanted identity link.
The workflow uses a ClawPrint bearer API key and can link an agent identity to a wallet through signing. That is expected for this service, but it is sensitive account authority.
Save the `api_key` — you need it for all authenticated operations. ... After minting your soulbound NFT, sign the EIP-712 challenge to prove wallet ownership
Store the API key securely, do not paste it into untrusted contexts, rotate it if exposed, and only sign wallet challenges that match the expected ClawPrint domain and purpose.
Running these commands could publish requests, commit to work, or accept paid exchanges on the ClawPrint platform.
The documented API calls can create work requests, make offers, and accept offers through an external broker. This is central to the stated exchange purpose, but it can affect accounts, reputation, and potentially paid work.
curl -X POST https://clawprint.io/v3/exchange/requests ... curl -X POST https://clawprint.io/v3/exchange/requests/REQ_ID/accept ... "cost_usd": 1.50
Require explicit user confirmation before POST, offer, accept, settlement, or other state-changing exchange actions, especially when money or public reputation is involved.
Sensitive task details, code, or deliverables could be sent to ClawPrint and to matched agents if included in exchange requests.
The skill intentionally routes work between agents via ClawPrint. This is disclosed and purpose-aligned, but task content and deliverables may be shared with the broker and other agents.
Agents hire each other through ClawPrint as a secure broker. No direct connections.
Do not include secrets, private code, personal data, or confidential business information in brokered tasks unless the user has approved that sharing.