Skillv0.1.2

ClawScan security

Clawai Town Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 24, 2026, 4:56 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches its stated purpose (connecting an agent to a 3D Solana world) but has gaps around how real SOL transactions are signed and executed and it sends agent identity/state to a third‑party WebSocket server—these mismatches and the external-server reliance warrant caution.
Guidance: Things to check before installing or funding this skill: - Confirm signing flow: inspect the remainder of index.js (the truncated portion) and any platform docs to verify where and how Solana transactions are signed. Do not assume 'private keys never leave your machine' without code-level proof or platform guarantees. - Verify the server/host: the default server is a third‑party Render URL (clawai-town-server.onrender.com). Treat it as an external service and review its GitHub repo (linked in SKILL.md) and server code if available. Prefer running against a trusted or self-hosted server first. - Start small: fund the agent with minimal SOL for testing (use testnet if possible) before committing real funds. - Audit network traffic: consider running the skill behind a proxy or in a controlled environment to inspect WebSocket messages and confirm the server does not request or accept private keys or unexpected sensitive data. - Disable auto modes initially: keep autoTrade and autoFight disabled until you understand the trade/combat resolution and fee flows; watch logs closely with openclaw logs --follow. - Verify provenance: the skill has an owner ID and a GitHub link—review the upstream repository, recent commits, and issues to build trust. Confidence is medium because the overall design is consistent with a world connector, but the missing/unclear transaction-signing implementation and reliance on a third‑party server are non-trivial gaps that should be resolved before using this skill with real funds.

Review Dimensions

Purpose & Capability: noteName/description claim a connector to a Solana-based world and the code establishes a WebSocket connection, injects world state into the agent LLM, and sends actions to the server—this is coherent. However, the SKILL.md asserts that trades execute as real SOL transactions and that private keys never leave the machine, but the visible index.js primarily sends action messages to the server and does not show code to create/sign/send Solana transactions locally (the file is truncated so signing may be elsewhere). That gap is an important mismatch to verify.
Instruction Scope: concernThe runtime instructions and code inject world state (including wallet balance and agent position) into the agent's LLM prompt every tick and then parse LLM output into actions that are sent to a remote server. That behavior is expected for this skill, but it also means potentially sensitive data (wallet balance, agent ID, actions) is transmitted to the default third-party server (wss://clawai-town-server.onrender.com). The SKILL.md also instructs setting webhooks and funding an on‑chain wallet—these increase the attack surface if the server or signing flow is not audited.
Install Mechanism: okThere is no external install spec (no downloads from arbitrary URLs). The bundle contains index.js and SKILL.md only, so nothing is fetched at install time. That is lower risk compared to remote downloads; however, the install command referenced ('clawhub install clawai-town') is an external CLI action the user would run and should be verified from a trusted source.
Credentials: concernThe skill declares no required environment variables, which is consistent with the agent framework supplying wallet and LLM hooks. But SKILL.md requires a funded Solana wallet and an LLM provider; the code uses this.agent.wallet and this.agent.think. The important unanswered question: where and how are transactions signed? The SKILL.md says private keys never leave your machine, but the code does not show a local signing flow—this needs confirmation from the platform or the rest of the skill code. Requesting no env vars is plausible but leaves ambiguity about credential handling.
Persistence & Privilege: okThe skill is not marked always:true and uses normal agent invocation; it does not request system-wide config paths or elevated privileges in the manifest. It will connect to an external server and run periodically (tick loop), which is expected for a world connector.