Skillv0.1.0

ClawScan security

Trade · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 8:57 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (swap tokens on Base) matches its instructions, but it relies on running an unpinned npm CLI via npx (remote code execution risk) and does not declare how wallet credentials are accessed, which is disproportionate for an instruction-only skill.
Guidance: This skill does what it says (trades tokens) but it executes an unpinned npm package at runtime (npx awal@latest) and relies on a wallet authentication step that is not described. Before installing or using it: verify the `awal` CLI's source and maintainers, prefer a pinned version rather than @latest, inspect the package code (or its published repository) to see how it handles keys and approvals, and avoid entering private keys into prompts unless you trust the package. If possible, run trades from an isolated/hard-limited wallet (small funds) or ask the author for a versioned, auditable integration that documents exactly how authentication and signing are performed.

Review Dimensions

Purpose & Capability: okName/description match the runtime instructions: the SKILL.md tells the agent to perform token swaps on Base using the `npx awal@latest trade` CLI, and the token aliases/arguments align with that purpose.
Instruction Scope: noteInstructions are narrowly scoped to calling the `awal` CLI (status/trade/balance) and handling amounts/tokens; they do not ask the agent to read arbitrary system files. However, they direct the agent to execute remote code (npx) that will interact with the user's wallet — the exact wallet access surface is not described here.
Install Mechanism: concernThere is no install spec in the skill, but allowed-tools explicitly rely on `npx awal@latest`. Running npx fetches and executes code from the npm registry at runtime, and the skill pins to @latest (unversioned), introducing supply-chain / arbitrary remote-code risk. This is expected for a CLI-based approach but is a noteworthy risk that is not mitigated here (no pinned version, no source/homepage).
Credentials: concernThe skill declares no required env vars or credentials, yet trading requires a wallet/authentication step. The SKILL.md refers to being "authenticated" and an external `authenticate-wallet` skill, but it does not declare what secrets or local wallet files the CLI will access. Lack of explicit credential declarations hides where private keys or wallets will be read or supplied.
Persistence & Privilege: okThe skill is user-invocable, not always-included, and does not request persistent privileges or modify other skills. Autonomous invocation is enabled (disable-model-invocation: false), which is normal; nothing here grants unusual system-wide persistence.