Skillv0.1.0

ClawScan security

Authenticate Wallet · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 8:39 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions generally match its stated purpose (authenticate a wallet via an email OTP CLI), but it relies on running npx to fetch/execute a remote package at runtime and contains a vague suggestion that the agent may 'access the user's email' to read OTPs — both are notable risks that should be clarified before installing.
Guidance: This skill is coherent in that it uses the 'awal' CLI to perform email OTP sign-in, but there are two things to consider before installing: 1) npx execution risk: The skill runs 'npx awal@latest' which downloads and executes code from the npm registry at runtime. If the package (or its dependencies) is malicious or compromised, that code runs on your agent host. Prefer establishing a vetted, pinned CLI binary or a fixed package version from a trusted publisher rather than executing '@latest'. 2) OTP/email access ambiguity: The SKILL.md suggests the agent can "access the user's email" to read OTPs. Unless you explicitly trust and permit the agent to read the mailbox, require manual entry of OTPs by the human. Do not give the agent mailbox credentials or automatic email access unless you understand and accept the privacy/exfiltration implications. Practical steps: - Verify the identity and reputation of the 'awal' package and its publisher on npm (or obtain an official CLI binary). Pin to a specific release instead of '@latest'. - Restrict the agent from autonomously accessing the user's email; require the human to paste OTPs. - Monitor and review outputs from any 'npx' runs the first few times, and consider running in an isolated environment if you must allow it. If you cannot verify the CLI package or are unwilling to accept npx execution risk, treat this skill as unsafe to enable.

Review Dimensions

Purpose & Capability: okName/description align with the runtime instructions: the SKILL.md only instructs using the 'npx awal' CLI to perform OTP-based login, check status, and view wallet info. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: noteInstructions are narrowly scoped to running 'npx awal' commands (status, auth login, auth verify, balance, address, show). However the text says 'If you have the ability to access the user's email, you can read the OTP code' — that is vague and grants the agent broad discretion about email access (potential privacy/exfiltration risk). The SKILL.md does not include explicit commands to access email, but the suggestion opens scope creep.
Install Mechanism: concernThere is no install spec, but the runtime explicitly invokes 'npx awal@latest'. npx will fetch and execute code from the npm registry at runtime; executing an unpinned '@latest' package from an unknown author can run arbitrary code on the host. This is an important runtime installation/execution risk even though no code files are bundled with the skill.
Credentials: okThe skill declares no environment variables, no credentials, and no config paths. The required access is proportional to the stated task (OTP-based CLI auth).
Persistence & Privilege: okalways:false and user-invocable:true. The skill does not request persistent system-wide privileges or to modify other skills. Autonomous invocation is allowed (disable-model-invocation:false) which is the platform default; combine this with the npx execution risk when deciding whether to allow autonomous runs.