Back to skill
Skillv1.0.0
ClawScan security
onchain contract token analysis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 3:28 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only skill whose requested actions and guidance align with its stated purpose of on‑chain contract and token analysis and it does not ask for extra credentials, installs, or unrelated access.
- Guidance
- This skill appears coherent and low‑risk because it is instruction-only and requests no secrets or installs. Before using it, provide concrete, public inputs (contract source or verified address, chain, ABIs, explorer links) and avoid pasting private keys or any non-public credentials. If you expect the agent to query block explorers or RPC nodes, consider giving read‑only RPC/Explorer API access (if required by your environment) rather than any secret admin keys. Finally, treat the analysis as advisory: always cross-check critical claims against source code and on‑chain state yourself or with an auditor.
Review Dimensions
- Purpose & Capability
- okThe name and description (contract/token analysis) match the SKILL.md content. All guidance focuses on onchain artifacts (contracts, ABIs, deployment scripts, addresses, fee flows, roles, upgradeability), so there are no unrelated capabilities requested.
- Instruction Scope
- okThe instructions are scoped to analyzing onchain code, roles, fee flows, upgradeability, attack surfaces, and market risks. They ask the agent to infer scope from provided files/ABIs/addresses and to verify live state from chain or explorer data when needed — which is appropriate for this task. The skill does not instruct reading unrelated local files, environment secrets, or posting data to unexpected external endpoints.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This minimizes disk writes and arbitrary code execution risk.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The analysis workflows mention using public chain/explorer data, which is consistent with not requesting secrets.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; it does not request elevated or persistent privileges or to modify other skills or system settings.