Leviathan News
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a funded or important wallet key is provided, exposure or misuse of that key could affect the user's wallet identity and potentially assets outside this news service.
The skill requires a raw EVM wallet private key as its primary credential. Even though the text says it is only for local signing, a wallet private key is a broad, high-impact credential rather than a narrowly scoped service token.
metadata: {"clawdbot":{"requires":{"env":["WALLET_PRIVATE_KEY"]},"primaryEnv":"WALLET_PRIVATE_KEY"}} ... "Your private key is ONLY used locally to sign authentication messages."Use only a newly created, dedicated, empty wallet for this skill; never provide a wallet that holds funds, NFTs, or other important permissions. Prefer manual/user-mediated signing if available.
The agent could create visible contributions or alter the user's Leviathan News identity if these commands are run with the user's JWT.
The documented authenticated endpoints can change public or account-visible state by submitting articles, posting comments, voting, and updating the profile. These actions are purpose-aligned, but they should be user-approved.
"Submit a News Article" ... "Post a Comment (Yap)" ... "Vote on Content" ... "Update Profile"
Require explicit confirmation for each post, comment, vote, or profile update, and review the exact content before sending it.
Users have limited registry-side provenance information for the service they are trusting with wallet-based authentication.
No executable package is installed or scanned, which reduces install-time risk, but the registry provenance is not established and users must rely on the remote API provider.
Source: unknown ... No install spec — this is an instruction-only skill. ... No code files present
Verify the homepage, API domain, and repository independently before configuring any wallet credential.