Leviathan News
Security checks across malware telemetry and agentic risk
Overview
The skill’s purpose is coherent, but it asks for a raw Ethereum wallet private key and can act publicly under that wallet identity, so it should be reviewed carefully before use.
Install only if you are comfortable letting the agent authenticate to Leviathan News with a wallet identity. Use a newly generated empty wallet just for this service, do not provide a funded or reused private key, and require confirmation before the agent submits articles, comments, votes, or profile changes.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user supplies a funded or reused wallet key, mishandling that environment variable could expose a wallet identity or assets outside Leviathan News.
The skill explicitly requires a raw wallet private key as its primary credential. Even though the stated use is local signing, an EVM private key can carry authority beyond this news API if the user reuses or funds that wallet.
metadata: {"clawdbot":{"emoji":"🦑","requires":{"env":["WALLET_PRIVATE_KEY"]},"primaryEnv":"WALLET_PRIVATE_KEY"}}Use only a new, empty burner wallet for this skill, never a wallet holding funds or used for other services, and remove or rotate the key if you stop using the skill.
The agent could post or vote under the user's wallet identity if the user authorizes those actions.
The skill documents authenticated actions that create comments, submit articles, vote, and update profile data. These are expected for the service but can change public or account-visible state.
Submit articles, comment (yap), and vote to earn SQUID tokens.
Confirm article submissions, comments, votes, and profile changes before allowing the agent to send authenticated requests.