Skillv1.0.0

ClawScan security

Cardano Balances · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 12:02 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (query Cardano wallet balances/UTxOs) is plausible, but it requests a highly sensitive SEED_PHRASE environment variable without clear justification or handling instructions and installs an npm package of unknown provenance — the combination is disproportionate and worth caution.
Guidance: Do not provide your wallet seed phrase unless you fully trust the skill and its publisher. Ask the maintainer why a SEED_PHRASE is required instead of a watch-only address or xpub. Before installing: (1) verify the npm package @indigoprotocol/cardano-mcp on the registry and inspect its repository/source and maintainer history, (2) prefer providing only public addresses or watch-only credentials when possible, (3) if you must test, use an empty/spare wallet with no funds, and (4) avoid storing your real seed phrase in environment variables for third-party skills.

Review Dimensions

Purpose & Capability: noteThe skill's functionality (getting balances, addresses, UTxOs) generally aligns with its name and description and the referenced MCP tools. However, requiring a SEED_PHRASE is stronger than normally necessary for read-only balance queries (which can often be done from public addresses or xpub/watch-only data). The SKILL.md does not justify why a full seed phrase is required.
Instruction Scope: concernThe runtime instructions reference only the MCP tools (get_balances, get_addresses, get_utxos) and conversion/display guidance, which is within scope. But SKILL.md does not say how the declared SEED_PHRASE env var is used, stored, or protected. The allowed-tools list (Read, Glob, Grep) could let the skill read local files, yet the instructions never limit or explain use of local data. This ambiguity increases risk because a seed phrase could be accessed/exfiltrated without being explicitly described.
Install Mechanism: noteInstall is a node package: @indigoprotocol/cardano-mcp (npm). Installing an npm package is a common approach for Cardano tooling and is not unusual, but it is a moderate-risk install mechanism because it will place code on disk and execute from the registry. No homepage, repository link, or package version is provided in the metadata, making provenance harder to verify.
Credentials: concernThe skill requires a single env var: SEED_PHRASE. A seed phrase is extremely sensitive (full wallet control). The skill does not request more unrelated credentials, but it also does not explain why the seed phrase is necessary versus less-privileged alternatives (e.g., public addresses, xpub, watch-only keys). Requiring a seed phrase for a read-only balances query is disproportionate unless the skill needs to derive private addresses not otherwise available — this should be explicitly stated and justified.
Persistence & Privilege: okThe skill is not always-enabled, does not request system-wide config changes, and does not claim to modify other skills or agent settings. Autonomous invocation is allowed (the platform default) but is not combined with other high privileges here.