Back to skill
Skillv1.0.0
ClawScan security
Indigo IPFS · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 10:25 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (IPFS storage + querying collector UTXOs) matches its instructions and it requests no credentials or installs; it is internally coherent but relies on external platform-provided tools and unspecified network endpoints.
- Guidance
- This skill appears coherent and minimal, but before installing check how your agent/platform implements the MCP tools (store_on_ipfs, retrieve_from_ipfs, get_collector_utxos): verify which IPFS gateway or node will be used (public gateway vs pinned storage), which Cardano node/API provides UTXO data, and whether those underlying services will require or transmit credentials. Confirm that the platform won't implicitly read or upload local files (allowed-tools include Read/Glob/Grep) without your consent. Finally, remember IPFS content is public and immutable — avoid storing secrets or private keys there.
Review Dimensions
- Purpose & Capability
- okName, description, and included sub-skills (IPFS storage and collector UTXO queries) align. The skill does not request unrelated credentials, binaries, or config paths.
- Instruction Scope
- noteSKILL.md defines three clear tool-level operations (store_on_ipfs, retrieve_from_ipfs, get_collector_utxos) and example workflows. It does not instruct reading arbitrary local files or exfiltrating secrets. However the implementation of those tools and which IPFS/Cardano endpoints or nodes will be used is unspecified—so network activity is implied but not described.
- Install Mechanism
- okNo install spec and no bundled code files that would be written to disk. Instruction-only skills are lower risk from installation perspective.
- Credentials
- okThe skill declares no required environment variables or credentials. Some example workflows reference other tools (e.g., get_cdps_by_owner) which might require credentials outside this skill, but those are not requested here.
- Persistence & Privilege
- okalways:false and user-invocable:true (normal). The skill does not request to persist configuration or modify other skills.