Back to skill
Skillv1.0.0
ClawScan security
Cardano Identity · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 11, 2026, 2:07 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (listing ADAHandles) is plausible, but it requests a highly sensitive SEED_PHRASE environment variable without justification, which is disproportionate and risky.
- Guidance
- Do not provide your wallet seed phrase unless you fully trust the package author and understand why signing authority is necessary. Before installing: 1) Ask the author why SEED_PHRASE is required and whether a read-only address or WalletConnect flow can be used instead. 2) Inspect the npm package @indigoprotocol/cardano-mcp source or its maintainer reputation. 3) If you must test, do so in an isolated environment and never expose your real seed — prefer a throwaway/test wallet. 4) Confirm the MCP server endpoint and network behavior (where data is sent) so sensitive data cannot be exfiltrated unexpectedly.
Review Dimensions
- Purpose & Capability
- concernThe skill claims only to resolve/list ADAHandles for a 'connected wallet'. Listing or resolving handles is a read-only blockchain operation and typically does not require a wallet seed phrase. Requiring SEED_PHRASE is not coherent with the stated, read-only purpose and suggests unnecessary sensitive access.
- Instruction Scope
- concernSKILL.md instructs use of an MCP tool (get_adahandles) and a running @indigoprotocol/cardano-mcp server but does not explain why a seed phrase is needed or how it will be used. Allowed tools (Read, Glob, Grep) can access local files; combined with the SEED_PHRASE requirement this increases the potential for sensitive data access without clear justification.
- Install Mechanism
- noteThe install uses an npm package (@indigoprotocol/cardano-mcp), which is an expected and traceable mechanism for Node-based MCP tooling. This is moderate risk—inspect the package source and maintainers before trust, but the mechanism itself is not an immediate red flag.
- Credentials
- concernThe only required environment variable is SEED_PHRASE. A wallet seed is extremely sensitive; requesting it for a read-only listing task is disproportionate. The skill does not declare less-risky alternatives (wallet address, read-only API key, WalletConnect), nor justify why signing authority is required.
- Persistence & Privilege
- okThe skill does not request always: true and does not declare persistent system-wide modifications. It uses normal autonomous-invocation defaults; no excessive privilege is requested in this dimension.