ClawAudit verdict

potato-tipper

45
๐ŸŸ  Risky
Significant concerns โ€” only install if you understand the risks

The skill requires PRIVATE_KEY for EOA controller access and executes real on-chain token transfers via forge script --broadcast, meaning a mistake or malicious payload could drain real cryptocurrency funds from the user's Universal Profile.

โš  Flagged for review โ€” coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.

Automated static analysis โ€” not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.

50
security
80
transparency
70
maintenance

Findings (2)

Pattern match critical

Possible hardcoded credential

SKILL.md ยท code ยท Token:", potatoTokenAddress); console2.log(

Pattern match high

Long base64 string (100+ chars) โ€” likely obfuscated payload

references/config-and-data-keys.md ยท code ยท 0x0000000000000000000000000000000000000000000000000de0b6b3a764000000000000000000

Permissions & capabilities

No declared permissions โ€” minimal attack surface.

data_encoding

Is this flag fair?

Check another skill Browse the registry Auditing your own skills or configs? Use the API