Skillv0.1.4

ClawScan security

OpenCog · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 16, 2026, 12:42 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is a CLI for on‑chain prediction‑market trading and legitimately needs a local private key and Node tooling, but its registry metadata omits required credentials and the skill stores a plaintext private key locally — these inconsistencies and the plaintext key handling warrant caution before installing.
Guidance: What to consider before installing: - Metadata mismatch: the registry metadata says no env vars are required, but the skill actually requires a PRIVATE_KEY (stored at ~/.openclaw/.env). Ask the publisher to fix registry metadata before trusting automated installs. - Private key risk: the skill writes your secp256k1 private key in plaintext to ~/.openclaw/.env. This is necessary for local signing but dangerous — only use a throwaway/test wallet and set strict permissions (chmod 600). Back up the key if you care about the wallet and do not use a high‑value key. - Test on Sepolia first: the default network is Sepolia (testnet). Never run commands on mainnet unless you explicitly pass --network mainnet and you confirm addresses and amounts with the user. - RPC endpoint trust: if you override PRECOG_RPC_URL, use a trusted RPC provider; a malicious/untrusted RPC can observe transaction contents and metadata. - Review code / client implementation: if you need higher assurance, inspect scripts/lib/client.mjs and other library code to verify there are no unexpected external endpoints or telemetry calls before running npm install. - Install hygiene: run npm install in an isolated environment (container or VM) if you are unsure, and inspect package-lock.json for transitive dependencies. - If you lack experience managing private keys, consider not installing or only experimenting with an empty/test wallet. If the publisher cannot explain the metadata mismatch or provide an updated manifest, treat the skill with extra caution.

Review Dimensions

Purpose & Capability: noteThe name/description (trade on prediction markets) matches the code and scripts: listing markets, quoting, buying/selling, wallet creation. Required binaries (node, npm) and dependency on an Ethereum client library (viem) are expected. However, the registry metadata in the provided manifest claims no required environment variables while SKILL.md and package.json declare PRIVATE_KEY (required) and optional PRECOG_RPC_URL / PRECOG_NETWORK — this metadata mismatch is an incoherence that should be corrected.
Instruction Scope: okSKILL.md and the scripts limit actions to local wallet creation, reading the local env file, signing transactions locally and calling blockchain RPCs. Instructions explicitly say the private key is never transmitted and warn about RPC trust. There are no instructions to read unrelated system files or to send data to unexpected external endpoints. The instruction to 'always show output verbatim' is a UI behavior requirement (not an exfiltration step) but could increase accidental disclosure of sensitive on‑chain data if misused.
Install Mechanism: noteThere is no automated download-from-arbitrary-URL step; installation is the normal npm install of dependencies (viem). package-lock.json is present, which pulls packages from the public npm registry — moderate and expected risk for a Node-based blockchain client. No opaque remote archives or URL shorteners are used in the provided files.
Credentials: concernThe skill requires a PRIVATE_KEY for signing transactions and documents storing it at ~/.openclaw/.env in plaintext. Requiring a private key is proportionate to the stated purpose, but storing it in plaintext is a sensitive design choice and increases user risk unless they strictly follow the advice to use a throwaway wallet and correct file permissions. Additionally, the registry metadata incorrectly lists no required env vars while SKILL.md/package.json do — an important inconsistency. PRECOG_RPC_URL being user-configurable is reasonable but carries a documented risk if an untrusted RPC is used.
Persistence & Privilege: okThe skill does create and use local state (~/.openclaw/.env) to persist the private key, which is normal for a local wallet CLI. 'always' is false and the skill does not request system-wide privilege or modify other skills. The persistence is scoped to the skill’s own directory/config and is explained in the docs.