Skillv2.0.2

ClawScan security

Agnic Pay for Service · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 23, 2026, 2:08 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match its stated purpose (paying x402 endpoints), but it relies on executing a remote npm package via `npx ...@latest` and references an AGNIC_TOKEN env var that is not declared in the metadata — both are reasons to be cautious before installing or running it.
Guidance: This skill appears to do what it says (make paid x402 calls), but exercise caution: it runs `npx agnic@latest`, which will fetch and execute code from npm each time — consider pinning to a specific, reviewed package/version instead of `@latest`. The SKILL.md mentions AGNIC_TOKEN for headless auth but the metadata doesn't declare it; confirm how you will provide a token and avoid exposing secrets on the command line (they can end up in shell history). Before using: (1) review the agnic npm package source or its npm page, (2) prefer a pinned version you can audit, (3) ensure the wallet and USDC balances are controlled and minimal for testing, (4) avoid passing other sensitive data through CLI args, and (5) if you need stronger assurance, ask the publisher for an install spec or code you can audit locally.

Review Dimensions

Purpose & Capability: noteName, description, and SKILL.md consistently describe making x402 payments on Base using USDC and the documented commands (npx agnic x402 ...) are aligned with that purpose. Minor incoherence: the instructions reference an AGNIC_TOKEN environment variable for headless auth, but the skill metadata lists no required env vars.
Instruction Scope: okRuntime instructions are narrowly focused: they call `npx agnic@latest` subcommands to check status, view details, check balance, and pay. The documentation includes input validation suggestions (URL regex, JSON parsing) and does not instruct the agent to read unrelated files or exfiltrate data. It does, however, allow passing authentication tokens via CLI or env — a normal but sensitive operation.
Install Mechanism: concernThis is an instruction-only skill that runs `npx agnic@latest` at runtime. `npx` will download and execute code from the npm registry (the `latest` tag), which is effectively executing remote code each time — a non-trivial risk. The skill provides no install spec or pinned package version to allow static review of code prior to execution.
Credentials: noteThe only credential-like item referenced is AGNIC_TOKEN (for authentication) and the user's wallet balance (USDC on Base), both reasonable for the stated purpose. But the metadata does not declare AGNIC_TOKEN in required env vars, creating a mismatch between declared requirements and instructions.
Persistence & Privilege: okThe skill does not request persistent presence (always:false) and model invocation is disabled (disable-model-invocation:true), so it cannot be autonomously invoked by the model. No install scripts, no system-wide config changes are specified.