Skillv1.0.0

ClawScan security

Indigo DEX · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 10:25 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions mostly match a Cardano DEX query tool, but it omits how Blockfrost credentials (and other runtime bindings) are provided and it allows filesystem-read tools that aren't justified — these mismatches warrant caution.
Guidance: This skill appears to be a read-only DEX explorer, but there are important gaps you should clarify before installing: (1) Blockfrost requires an API key — ask how/where that key is provided and whether it will be stored/used only for read-only queries (use a scoped, read-only key). (2) Confirm what the platform MCP tools (get_blockfrost_balances, get_steelswap_estimate, etc.) actually do and which network endpoints they call; verify they don't perform transactions or require signing keys. (3) Remove or restrict allowed-tools (Read/Glob/Grep) if you do not want the skill to be able to read local files; otherwise the agent could access files on the host. (4) Never paste private keys, seed phrases, or wallet signing material into prompts; this skill appears intended for balance and estimate queries only. If the publisher or platform can confirm where credentials come from and that only read-only, rate-limited Blockfrost keys are used, the remaining issues are likely benign.

Review Dimensions

Purpose & Capability: concernThe skill's name/description and all sub-files consistently describe DEX queries (SteelSwap, Iris, Blockfrost). However, the skill relies on Blockfrost for wallet balances (and on external DEX endpoints) yet declares no environment variables or credential requirements. Also the SKILL.md metadata lists allowed-tools: Read, Glob, Grep — filesystem access is not obviously required for read-only queries and is disproportionate to the stated purpose unless the platform's MCP tools need local config files. These omissions/inconsistencies reduce confidence that the declared requirements match actual runtime needs.
Instruction Scope: noteThe runtime instructions are scoped to listing tokens, getting estimates, fetching pools, and querying balances via named MCP tools. They do not instruct the agent to read system files or secrets. However, the allowed-tools metadata (Read, Glob, Grep) gives the agent the ability to read local files — a capability not used in the written workflows. The SKILL.md also references Blockfrost calls without specifying where the API key comes from; that is an important missing detail in the instruction surface.
Install Mechanism: okThere is no install spec and no code files — this is an instruction-only skill. That minimizes install-time risk (nothing is downloaded or written to disk). The scanner had no code to analyze.
Credentials: concernThe skill declares no required environment variables or primary credential, yet its workflows explicitly call Blockfrost (which requires an API key) and external DEX services. The absence of declared credentials is a mismatch: either the platform injects these secrets via MCP tool bindings (not stated), or the skill will fail / implicitly require users to supply credentials in other ways. This lack of explicit credential requirements is disproportionate and unclear.
Persistence & Privilege: okThe skill is not always-enabled and is user-invocable (normal). It does not request persistent presence or system-wide config changes. The only notable privilege is the allowed-tools list (Read/Glob/Grep) which permits file reads if the platform honors that list — that should be reviewed, but the skill itself does not demand persistent privileges.