Skillv1.0.0

ClawScan security

Cardano Staking · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 2:07 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's purpose is read-only (check delegation/rewards) but it declares a SEED_PHRASE environment variable and installs an npm package from an unverified source — requesting a seed phrase is disproportionate and inconsistent with the documented instructions.
Guidance: Do not provide your seed phrase. For checking delegation and rewards, prefer supplying a public wallet address or a read-only viewing key instead of private keys. Before installing: (1) verify the npm package @indigoprotocol/cardano-mcp on npmjs.com and inspect its source repository (GitHub) and maintainers; (2) ask the skill author why SEED_PHRASE is required and request an alternative that only needs a public address; (3) avoid storing seed phrases in environment variables — use hardware wallets or offline signing if you must sign transactions. If the author cannot justify the seed requirement or provide verifiable source code, do not install or run the skill.

Review Dimensions

Purpose & Capability: concernThe skill says it only checks stake delegation and available rewards, which can be determined from a public wallet address; however the registry metadata declares a required environment variable SEED_PHRASE. A seed phrase (private key material) is not justified by the stated read-only purpose.
Instruction Scope: concernThe SKILL.md instructions only say to call get_stake_delegation and display results; they do not reference reading a seed phrase or other local files. Declaring SEED_PHRASE in the skill's requires block is inconsistent with the literal runtime instructions, creating scope creep and a mismatch between what the agent is told to do and what it asks for.
Install Mechanism: noteThe install spec pulls a Node package (@indigoprotocol/cardano-mcp) from the npm ecosystem. Using an npm package for Cardano MCP tooling is plausible, but the skill has no homepage or source link to verify the package's provenance. npm installs are moderate risk compared to instruction-only skills; lack of a verifiable upstream repository increases concern.
Credentials: concernRequesting SEED_PHRASE (sensitive private key material) is disproportionate for a read-only delegation/rewards check. The skill does not declare a less-privileged alternative (public address, viewing key, or read-only API token). Storing a seed phrase in an environment variable is also risky operationally.
Persistence & Privilege: okThe skill is not set to always:true and uses default autonomy settings. It does not request system-wide persistence or attempt to modify other skills; no elevated persistence privileges were requested.