Skillv1.1.1

ClawScan security

Erc8004 Discover · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:46 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: Tool is coherent with its discovery purpose, but its runtime instructions and code fetch arbitrary metadata URIs (HTTP, IPFS, data:), which can cause the tool to request internal or attacker-controlled endpoints and expose sensitive content — review before running or enabling autonomous use.
Guidance: This skill appears to do what it says (discover ERC-8004 agents via Agentscan), but exercise caution before running it or enabling autonomous use. The script will fetch and decode metadata URIs returned by agents; those URIs can be data: URIs, IPFS addresses (fetched via ipfs.io), or arbitrary http/https URLs. If a metadata URI points to an internal service (for example cloud instance metadata) or an attacker-controlled host, the script will request and print that content — which could expose secrets if you forward logs to other systems. Recommendations: 1) Review the source (scripts/discover.py) yourself before running. 2) Run it in a sandboxed environment or with network restrictions if you plan to use the monitor/cron features. 3) Avoid piping output automatically to external notifiers unless you trust all monitored agents and their metadata. 4) If you deploy as an autonomous skill, add URL whitelisting or disallow non-Agentscan-hosted metadata fetching (or at minimum sanitize/inspect decoded metadata before logging/transmitting). 5) Verify Agentscan's domain and the IPFS gateway used meet your trust requirements.

Review Dimensions

Purpose & Capability: okName/description match the delivered functionality: the script queries Agentscan, lists/searches agents, shows stats, decodes metadata and caches monitor results. There are no unexpected env vars, binaries, or installs requested.
Instruction Scope: concernSKILL.md instructs running the included Python script and using monitor/cron pipelines; the code's decode_metadata_uri will fetch and parse arbitrary URIs (data: base64, http(s) URLs, and IPFS via a public gateway). That behavior can trigger requests to attacker-controlled or internal endpoints (SSRF risk) and will decode/print returned content. The SKILL.md also shows examples piping outputs to external notifiers (slack-notify), which could forward any fetched content off-host.
Install Mechanism: okNo install spec; instruction-only plus a Python script using the standard library. Nothing is downloaded or written by an installer. Risk from install mechanism is low.
Credentials: okNo environment variables, credentials, or config paths are requested. The script operates with public Agentscan endpoints and temporary cache files in /tmp as documented.
Persistence & Privilege: okalways is false and the skill does not request permanent agent-wide privileges. It stores per-monitor cache files in /tmp, which is expected for this use-case.