Skillv0.1.0

ClawScan security

ClankerKit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 22, 2026, 12:09 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and code largely match an autonomous on-chain wallet tool, but there are provenance and metadata inconsistencies plus sensitive credentials and supply-chain risks that you should understand before installing.
Guidance: This skill gives an agent the ability to sign and send real blockchain transactions. Before installing: (1) verify the package/source/author provenance — source/homepage are missing and versions in files disagree; (2) do not set a mainnet private key unless you fully trust the skill and have reviewed the code and dependencies; test on testnet first; (3) prefer a restricted signer or hardware signing gateway rather than putting a raw private key into an environment variable; (4) review the 'pay_for_service' and 'execute_transaction' tools — they allow arbitrary payments and calldata; set conservative policy limits and owner-approval thresholds; (5) inspect the npm dependency 'clankerkit' and package-lock for malicious packages before letting the platform run npm install. If you cannot confirm provenance and review dependencies, treat this as high-risk and avoid providing real funds or private keys.

Review Dimensions

Purpose & Capability: noteThe name/description (autonomous wallet ops) aligns with the env vars and tools (sending tokens, swaps, staking, execute_transaction). Required env vars (wallet address, policy engine address, owner address, agent private key) are reasonable for a signing agent. However, registry metadata stated no primary credential while SKILL.md declares AGENT_PRIVATE_KEY as primaryEnv — a metadata mismatch. skill.json version (0.2.0) differs from registry version (0.1.0). Source/homepage are missing, reducing provenance.
Instruction Scope: noteSKILL.md and src/index.ts implement many powerful wallet operations (arbitrary contract calls, execute_transaction, pay_for_service, swap_tokens). These are consistent with the claimed purpose but grant the agent the ability to perform arbitrary on-chain actions (including arbitrary calldata and paying arbitrary endpoints). That capability is expected for a wallet skill but also makes misuse impactful.
Install Mechanism: noteThere is no explicit install spec, but package.json/package-lock are present and list npm dependencies (including an external 'clankerkit' package). This implies a node/npm install of third-party packages when the skill is used — a moderate supply-chain risk. No remote, untrusted archive URLs were found.
Credentials: concernThe skill requires AGENT_PRIVATE_KEY in environment — appropriate for signing but highly sensitive. All required env vars are related to blockchain operation, so they are proportionate, but the presence of a private key plus autonomous invocation increases risk. Also SKILL.md/README disagree on whether AGENT_PRIVATE_KEY should include the 0x prefix; registry metadata omitted primary credential — inconsistent metadata around the most sensitive secret.
Persistence & Privilege: notealways is false (good). disable-model-invocation is false (normal), meaning the agent can invoke autonomously; combined with the agent private key this gives a large blast radius (the skill can sign and send transactions without manual approval). This is expected for an autonomous wallet but should be explicitly accepted by the user.