Back to skill
Skillv0.1.0
ClawScan security
Settld MCP Payments · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 19, 2026, 7:29 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions and example server configuration legitimately require Settld credentials and a runtime server, but the registry metadata does not declare any required environment variables and the skill relies on running an external npm package via npx — this mismatch and the dynamic code fetch are concerning.
- Guidance
- Before installing or running this skill: 1) Treat SETTLD_API_KEY as a sensitive secret — only provide a least-privilege or scoped key. 2) Ask the publisher for provenance: where is the settld-mcp npm package hosted, is there a source repository, a pinned version, and release checksums or signatures? Do not run unpinned npx commands in production. 3) Update the skill manifest or ask the registry owner to declare required env vars so the platform can surface the credential requirement. 4) If you must test, run the MCP server in an isolated environment (sandbox/container) and use test credentials and a billing limit. 5) Monitor billing and receipts for unexpected charges. 6) If you cannot verify the npm package source or author, treat this skill as high-risk and avoid providing real production credentials.
Review Dimensions
- Purpose & Capability
- concernThe SKILL.md purpose (connect to Settld MCP, run paid tool calls, produce receipts) is coherent with needing SETTLD_API_KEY, SETTLD_BASE_URL, and SETTLD_TENANT_ID. However, the registry metadata lists no required environment variables or primary credential despite SKILL.md explicitly naming these secrets. That inconsistency means the package's required privileges are not declared to the platform and may not be surfaced to users.
- Instruction Scope
- noteThe runtime instructions are narrowly scoped to MCP interactions (calling settld.* tools, returning headers, running an MCP server). They do not instruct reading unrelated files or exfiltrating system data. They do, however, instruct running a server via `npx -y settld-mcp` and using API keys from env vars, which grants an external package the ability to execute arbitrary code at runtime — this broadens the effective scope beyond the written instructions.
- Install Mechanism
- concernThere is no formal install spec in the skill manifest, but the SKILL.md and mcp-server.example.json direct users/agents to launch `npx -y settld-mcp`. npx dynamically fetches and executes a package from npm; the skill does not pin a package version, provide a checksum, or link to a repository or homepage. Dynamic npm fetch is a moderate-to-high risk without provenance or pinning, because arbitrary code may be downloaded and executed at runtime.
- Credentials
- concernThe environment variables named in SKILL.md (SETTLD_API_KEY, SETTLD_BASE_URL, SETTLD_TENANT_ID, optional SETTLD_PAID_TOOLS_BASE_URL/SETTLD_PROTOCOL) are appropriate for a payment/settlement integration. However, the skill registry metadata did not declare any required env vars or primary credential, creating an omission that hides the fact that the skill needs sensitive secrets. Requiring live API keys without manifest declaration increases the risk of inadvertent exposure or misuse by runtime code.
- Persistence & Privilege
- noteThe skill is not marked always:true and has no install-time persistence or config writes in the manifest. Autonomous invocation (default) is allowed; combined with a secret API key and the ability to run an npm package, an agent could autonomously make paid calls. This is not intrinsically incorrect, but users should be aware that the skill can be invoked by the agent and may incur charges if given credentials.