Skillv2.0.2

ClawScan security

Agnic AI Gateway · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 23, 2026, 2:15 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (proxy to many models via the Agnic CLI) is plausible, but the runtime instructions reference an authentication token and execute npx@latest (dynamic code from npm) while the metadata does not declare required env vars or a trusted source — these mismatches raise concerns.
Guidance: This skill appears to be a thin wrapper around the Agnic CLI and is coherent with its stated purpose, but proceed with caution. Key things to consider before installing or running it in a sensitive environment: - Metadata/manifest mismatch: SKILL.md says you may need AGNIC_TOKEN, but the registry metadata does not declare it. Treat AGNIC_TOKEN as a sensitive credential and avoid placing it in a shared/global environment until you verify scope. - npx@latest risk: The skill runs npx agnic@latest which will fetch and execute code from npm at runtime. Prefer a pinned, audited version or inspect the package source (repo/homepage) before using. Running unpinned npx commands can execute arbitrary code if the package is compromised. - Unknown source: There is no homepage or repo listed. Verify the npm package owner, repository, and package contents (or run in an isolated/ephemeral environment) before giving it credentials or payment funds. - Payment implications: The gateway charges USDC from a wallet. Use a dedicated test wallet with limited funds for initial trials and confirm billing behavior on app.agnic.ai. - Safer alternatives: If you must use this during automation, pin the CLI version (npx agnic@x.y.z) or vendor the CLI binary after manual review; avoid long-lived token exposure; consider running commands in a sandbox/container. If you want, I can: (a) show how to inspect the agnic npm package before running it, (b) draft a minimal wrapper that pins a specific version, or (c) produce guidance for creating a temporary wallet and limited-scope token for testing.

Review Dimensions

Purpose & Capability: noteThe skill description (access Agnic Gateway to list/chat/generate images across many models) matches the commands shown (npx agnic ai ...). Requiring an Agnic auth token and a USDC-backed wallet is coherent with the payment model. However, the package source is unknown (no homepage) and the metadata declares no required env vars even though SKILL.md instructs use of AGNIC_TOKEN — a documentation/metadata mismatch.
Instruction Scope: noteSKILL.md instructs the agent to run npx agnic@latest commands (status, auth, ai chat/image/models) and gives input-validation guidance (good). It also tells the agent how to authenticate (AGNIC_TOKEN or interactive login). The instructions do not attempt to read unrelated system files, but they do rely on executing external code fetched at runtime via npx, which can run arbitrary code and is therefore a scope/risk consideration.
Install Mechanism: concernThere is no install spec in the registry, but runtime usage relies on npx agnic@latest which downloads and executes the latest package from npm each run. Dynamic installs from npm (unversioned @latest) are higher risk because package content can change and execute arbitrary code; the skill does not recommend or pin a specific, audited version or provide a repository/homepage to verify.
Credentials: concernSKILL.md expects AGNIC_TOKEN for headless auth and mentions a USDC-backed wallet (payment). The registry metadata lists no required env vars or primary credential — this mismatch reduces transparency. Requesting an auth token and wallet access is proportionate to the stated functionality, but the skill should declare AGNIC_TOKEN (and describe its scope) in metadata. Storing/using payment credentials or long-lived tokens in shared agent environments has obvious sensitivity.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated persistence. disable-model-invocation is false (normal). There is no indication it modifies other skills or system-wide configs.