Skillv1.0.0

ClawScan security

Cardano Transactions · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 2:07 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill asks for a SEED_PHRASE environment variable (a highly sensitive secret) but its documentation says the seed phrase is never exposed and the runtime instructions never justify needing that env var — this mismatch is disproportionate and risky.
Guidance: Do not set your wallet seed phrase as an environment variable for this skill. Before installing, ask the author why SEED_PHRASE is required and whether signing can be done by a separate wallet/MCP service that holds the keys. If you must test, do so in an isolated environment with a throwaway wallet (no funds). Verify the npm package @indigoprotocol/cardano-mcp (publisher, homepage, source code) and confirm the MCP server endpoint is local/trusted. Prefer a workflow where the agent requests the MCP server to sign, and the agent never receives raw seed material. If the author cannot justify SEED_PHRASE being required, treat the skill as unsafe to use with real keys.

Review Dimensions

Purpose & Capability: concernThe skill's purpose (sign & submit Cardano transactions via an MCP tool) can normally be achieved by talking to a wallet/MCP server without the agent holding the seed phrase. Declaring SEED_PHRASE as a required env var is not consistent with the stated architecture (the docs explicitly say the seed is never exposed to the AI agent). The one declared install (@indigoprotocol/cardano-mcp) is appropriate for Cardano MCP functionality, so the main incoherence is the secret requirement.
Instruction Scope: concernSKILL.md instructs a safe confirmation flow (summarize transaction, ask explicit confirmation, only then call submit_transaction). However, the skill's metadata requires SEED_PHRASE while the prose states the seed phrase is never exposed — a direct contradiction. The allowed-tools include Read/Glob/Grep (file access/search) which could be used to read local secrets if the agent were permitted to act, creating scope creep relative to the minimal instructions.
Install Mechanism: okInstall is an npm package (@indigoprotocol/cardano-mcp). This is an expected mechanism for Cardano tooling (traceable on npm) and is moderate-risk but proportionate for the described capability. No arbitrary URL downloads or archive extracts are used.
Credentials: concernRequesting SEED_PHRASE is high privilege and should be unnecessary if an external MCP/wallet service signs transactions. The skill offers no justification for requiring this env var; moreover, its own documentation claims the seed is never exposed to the agent — a conflicting message. An env var named SEED_PHRASE is explicitly a secret-like credential and is disproportionate for a tool that should instead rely on the wallet/MCP service.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated persistence or system-wide config changes. There is no evidence it modifies other skills or agent settings. The only minor note is allowed-tools that permit reading files, which increases potential for accidental local-secret access if capabilities are misused.