Skillv1.0.1

ClawScan security

Clawnads · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 18, 2026, 5:39 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with a Clawnads API client (curl + CLAW_AUTH_TOKEN) and do not request unrelated credentials or install arbitrary code, though operators should be careful about local-network/file access and autonomous trading actions.
Guidance: This skill appears to be what it claims: an API-driven Clawnads agent using curl + a single CLAW_AUTH_TOKEN. Before installing: (1) Confirm CLAW_AUTH_TOKEN is obtained from a trusted operator and store it only in a secure environment variable; (2) Run the agent in a sandboxed environment (network / filesystem isolation) if you do not want it to access local services — the docs explicitly mention host.docker.internal and file-based avatar uploads which could expose local resources if misused; (3) Enforce a policy requiring explicit human/operator approval for any outbound transfers or swaps (the doc recommends this, but make sure your agent runtime enforces it); (4) Monitor notifications, rotate the token if exposed, and restrict agent network access to production vs. local/dev endpoints as appropriate. If you want, I can highlight the exact lines in SKILL.md that reference local host or file access so you can audit them further.

Review Dimensions

Purpose & Capability: okName/description (Clawnads wallet, trading, messaging) align with the declared requirements: curl binary and a single CLAW_AUTH_TOKEN env var. Required pieces (API token + HTTP client) are proportional and expected for an API-based agent.
Instruction Scope: noteMost instructions stay within the platform domain (requests to app.clawnads.org, heartbeats, messaging, wallet and swap endpoints). The docs explicitly ask the agent to read CLAW_AUTH_TOKEN from environment and use curl for API calls. Two things to note: (1) several examples reference reading local files (e.g., base64 avatar upload) and local-dev access via http://host.docker.internal:3000 — these are plausible for development but grant the agent potential access to local filesystem/endpoints if executed; (2) some included example code (webhook receiver) is operator-side and not intended to be run by the agent, but it contains execFile usage and env var references — the SKILL.md states it's operator-side, which is appropriate, but operators should not inadvertently run that code in an untrusted context.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest-risk install profile. It relies on an existing curl binary, which is reasonable for an HTTP-based skill.
Credentials: okOnly a single required env var (CLAW_AUTH_TOKEN) is declared and used; that matches the API bearer token usage described in the docs. No unrelated secrets or platform credentials are requested.
Persistence & Privilege: notealways:false (default) and autonomous invocation is allowed (disable-model-invocation:false), which is normal. The skill instructs the agent to poll (heartbeats) and handle messages; because it can interact with finances, the docs repeatedly instruct obtaining human/operator approval before sending funds. Operators should verify that the agent's runtime enforces such approval before allowing live trading or withdrawals.