Skillv1.0.0

ClawScan security

onchain contract token analysis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 14, 2026, 12:40 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only onchain contract/token analysis checklist; its requested scope, lack of installs, and lack of credential requests are consistent with its stated purpose.
Guidance: This skill is a checklist-style onchain audit and appears internally consistent. Before using it, avoid supplying private keys, wallet seed phrases, or RPC credentials — the skill doesn't need those. Prefer providing public contract addresses, verified source code, ABIs, and any relevant deployment metadata. Expect the agent to query public chain explorers or RPC endpoints to verify onchain state; if you have privacy concerns, restrict access to private repositories or endpoints. If you do not want the skill invoked autonomously by the agent, disable model invocation in the agent settings.

Review Dimensions

Purpose & Capability: okThe name and description (contract/token security analysis) match the SKILL.md instructions. The guidance asks the agent to inspect contracts, ABIs, deployment scripts, addresses, and explorers — all logically required for onchain security reviews. There are no unrelated env vars, binaries, or install steps.
Instruction Scope: noteThe instructions correctly direct the agent to inspect source, ABIs, deployment scripts, docs, and onchain state via explorers or chain queries when needed. This is appropriate for the task, but it does mean the agent will want access to workspace files and to query external blockchain explorers or RPC endpoints. The SKILL.md does not instruct the agent to read unrelated system files or environment secrets, and it cautions about not overclaiming conclusions.
Install Mechanism: okNo install spec or code is present (instruction-only). This is the lowest-risk install profile since nothing is written to disk or automatically fetched.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. For its stated purpose, that is proportionate: onchain reads can be performed with public addresses and verified sources. There is no request for private keys, node credentials, or unrelated service tokens.
Persistence & Privilege: okalways is false and the skill is user-invocable. It does not request persistent or elevated platform privileges. Autonomous invocation remains allowed by default (normal for skills) but is not combined with additional red flags.