Skillv1.0.0

ClawScan security

Polygon PoS Development · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:02 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's content matches its stated purpose (Polygon PoS development with Foundry) but the runtime instructions expect sensitive environment variables (PRIVATE_KEY, POLYGONSCAN_API_KEY, WALLET_ADDRESS, etc.) while the registry metadata declares none — an important inconsistency and potential risk if the agent is allowed to use those secrets.
Guidance: What to consider before installing/using this skill: - Inconsistency: the registry claims no required env vars, but the guide expects PRIVATE_KEY, POLYGONSCAN_API_KEY, WALLET_ADDRESS, and RPC URLs. Treat that mismatch as a red flag and confirm expected secrets before proceeding. - Private key risk: following the guide requires supplying a private key which can sign and broadcast real transactions. Never provide your mainnet private key in plaintext to an agent or service. Prefer one of: an ephemeral testnet account, a key with limited funds, a hardware wallet, or a remote signing service (e.g., MetaMask, Gnosis Safe, or a signing API) that keeps the key off the machine/agent. - Minimize scope: for automation, give the smallest-privilege key possible (testnet-only key, low funds). Avoid embedding long-lived mainnet keys in .env files. Keep .env files out of version control and use secure secret storage where possible. - Review commands before running: the skill recommends running remote installers (curl | bash) and docker/pip installs. Verify those URLs are official and inspect scripts when possible. - Autonomous invocation caution: the skill can cause state changes (deploy/transfer) if the agent is allowed to run it with a PRIVATE_KEY. If you enable autonomous invocation, restrict the skill’s access to secrets or disable autonomous execution when sensitive operations are involved. - Trust & provenance: the skill's source/homepage are unknown. Prefer official/maintained guides or double-check commands against Foundry and Polygon documentation before executing. If you still want to use this skill: test with an ephemeral/testnet-only key first, do not use a funded mainnet key, and require manual approval before any transaction broadcast.

Review Dimensions

Purpose & Capability: okThe name/description (Polygon PoS development, Foundry, Amoy testnet, verification on Polygonscan) aligns with the SKILL.md and reference files. All steps, commands, and endpoints are consistent with Foundry-based contract development and deployment to Polygon/Amoy.
Instruction Scope: concernThe SKILL.md instructs the agent/user to create and read a .env containing PRIVATE_KEY, WALLET_ADDRESS, POLYGONSCAN_API_KEY and to run Foundry scripts that call vm.envUint("PRIVATE_KEY") and broadcast transactions. Those actions are within the stated purpose, but they involve reading/using highly sensitive secrets and broadcasting transactions. The instructions also recommend running remote installer scripts (curl | bash foundry installer) and running analysis tools (pip install slither, docker run mythril), which are expected but increase runtime actions the agent could perform. The key concern: the instructions access secrets not declared in the registry metadata and they give the agent the capability to perform state-changing transactions.
Install Mechanism: noteThis is an instruction-only skill with no install spec (lowest code-writing risk). However the guide instructs running external installer commands (curl -L https://foundry.paradigm.xyz | bash && foundryup) and recommends tools installed via pip/docker. The Foundry install URL appears to be the official installer but remote scripted installs carry the usual supply-chain risk and should be validated before running.
Credentials: concernRegistry metadata lists no required environment variables, but the SKILL.md repeatedly instructs use of PRIVATE_KEY, POLYGONSCAN_API_KEY, WALLET_ADDRESS, and optional RPC URLs. Requesting a private key and an API key is proportionate to deployment/verification tasks, but the metadata omission is an inconsistency. PRIVATE_KEY is extremely sensitive because it grants full control of the wallet and can be used to sign live transactions; the guide's use of vm.envUint("PRIVATE_KEY") implies the key will be provided in plaintext environment form, which is risky if mishandled or exposed to an agent with autonomous invocation.
Persistence & Privilege: noteThe skill does not request persistent presence (always:false) and has no install-time modifications. That is appropriate. However the runtime instructions enable broadcasting transactions if the agent is allowed to run autonomously with access to PRIVATE_KEY; so if you permit autonomous invocation, the agent could send transactions on your behalf. This is not a fault of the skill itself but is a user-facing risk to consider before granting the agent secret access.