Skillv1.0.0

ClawScan security

Agent Credit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:10 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and instructions match its stated goal (autonomous borrowing via Aave delegation) but contain several inconsistencies and high-risk choices (local private key storage, undeclared runtime dependencies, and powerful autonomous borrowing capability) that you should understand before installing.
Guidance: This skill is functionally consistent with its description (it really does borrow/repay/check Aave delegation), but it carries significant operational risk. Before installing: - Do not delegate large amounts. Use 'approveDelegation' with conservative ceilings (start $50–$100) and avoid type(uint256).max. - Use a dedicated agent wallet with minimal native funds and minimal exposure; never put your main wallet's key into the skill. - Prefer storing the agent key in a secure secrets manager or ephemeral environment variable rather than plaintext config.json; if you must use config.json, set strict file permissions (chmod 600) and keep the file off version control. - Verify and audit the scripts yourself (they are plain bash) and test on a public testnet (Base Sepolia / Eth Sepolia) before using mainnet. - Be aware the registry metadata omits required binaries/env vars: you'll need 'cast' (Foundry), jq, and bc. The SKILL.md suggests installing Foundry via its installer script — review that installer before running it. - Limit agent autonomy where possible (require manual approval for borrows), monitor health factor and delegation allowances continuously, and revoke delegation when idle. If you want, I can: (a) list the exact lines where the scripts read private keys and env vars, (b) produce a minimal checklist to harden deployment, or (c) propose a safer architecture (e.g., use an HSM or remote signer) to reduce risk.

Review Dimensions

Purpose & Capability: noteThe name/description accurately describe what the code does: scripts implement borrow/repay/status for Aave credit delegation. However registry metadata claims no required binaries/env vars/config paths while the SKILL.md and scripts require Foundry's 'cast', jq, bc and a config.json with an agent private key and RPC URL. That mismatch (declared requirements = none vs. actual requirements = cast/jq/bc + config with key) is an incoherence worth noting but it does not indicate misdirection — it looks like incomplete metadata.
Instruction Scope: concernThe SKILL.md explicitly instructs users to create a config file containing the agent's private key (~ ~/.openclaw/skills/aave-delegation/config.json) and to run the provided scripts. That is within the stated purpose but expands the attack surface: storing a signing key on disk and giving an autonomous agent scripts that can borrow funds is intrinsically dangerous. The README/safety.md discuss mitigations, but the instructions still allow continuous autonomous borrowing and rely on the user to set delegation ceilings and file permissions. The skill does not attempt to access unrelated system files, but it does require sensitive credentials to be present locally.
Install Mechanism: noteThere is no formal install spec in the registry (instruction-only), which lowers supply-chain risk. However SKILL.md recommends installing Foundry via 'curl -L https://foundry.paradigm.xyz | bash && foundryup' to get 'cast' — that is a remote install script. The scripts also rely on jq and bc but these requirements are not declared in registry metadata. Overall install risk is moderate: no arbitrary binary downloads from unknown servers in the repo, but the recommended Foundry bootstrap runs a remote installer and required binaries are undeclared.
Credentials: concernThe skill requires an agent signing key (agentPrivateKey) and the delegator's address and RPC URL in config.json to operate. Requesting a private key is proportionate for a component that must sign on-chain transactions, but this is high privilege and the skill's registry entry lists no required credentials/env vars (incoherent). The scripts also accept environment variable overrides (AAVE_AGENT_PRIVATE_KEY, AAVE_RPC_URL, etc.) that aren't declared in the registry. The skill does not request unrelated third-party credentials, but storing a private key in plaintext on disk is a major risk vector if the host is compromised.
Persistence & Privilege: concernalways: false (good). Autonomous invocation is allowed (platform default) and is necessary for the skill's purpose, but combined with the private key and ability to borrow funds, it substantially increases blast radius: a compromised agent or a prompt-injection attack could instruct the skill to borrow up to the delegated allowances. The repo includes safety guidance (per-tx caps, HF checks, revocation advice) and the borrow script enforces multiple checks, which mitigates some risk, but the overall privilege (signing transactions + autonomous borrow capability + integration guidance to combine with swapping/bridging tools) warrants caution.