Back to skill
Skillv0.1.0
ClawScan security
Check Wallet · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 1, 2026, 10:13 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions match its stated purpose (checking wallets) but they tell the agent to fetch-and-run an npm package via npx at runtime and to query locally stored Turnkey credentials (wallet addresses/balances) autonomously without confirmation — coherent but carries privacy and supply-chain risk.
- Guidance
- This skill does what it says (checks wallets) but exercise caution before installing/running it. Key points: (1) The instructions use `npx @openant-ai/cli@latest`, which downloads and runs code from npm on demand — prefer a pinned version or verify the package before allowing execution. (2) The CLI will read locally stored Turnkey credentials and return wallet addresses and balances (sensitive data). Decide whether you want the agent to be allowed to run these commands autonomously; if not, disable model invocation or require explicit user confirmation. (3) Avoid passing untrusted custom RPC endpoints (they could observe queries). (4) If you proceed, verify the provenance of the @openant-ai/cli package (publisher identity, npm audit/reviews) and consider running the commands manually first to confirm expected behavior.
Review Dimensions
- Purpose & Capability
- okName/description align with the instructions: all commands are for listing wallet addresses and on-chain balances via the OpenAnt/Turnkey CLI. No unrelated environment variables, binaries, or config paths are requested.
- Instruction Scope
- concernSKILL.md instructs the agent to run `npx @openant-ai/cli@latest ...` commands that will read locally stored Turnkey credentials and return wallet addresses/balances. It also states commands are executed immediately without user confirmation. While these actions match the purpose, they give the agent broad discretion to fetch code and expose potentially sensitive wallet addresses and balances.
- Install Mechanism
- concernThe skill is instruction-only, but it relies on `npx @openant-ai/cli@latest` which will fetch and execute code from the npm registry at runtime. That is an implicit runtime install / remote code execution vector (and using the `latest` tag increases supply-chain risk). No pinned-release or trusted-host install is specified.
- Credentials
- okThe skill does not request any environment variables or external credentials in its metadata. It does rely on locally stored Turnkey credentials created by the CLI (reasonable for wallet queries), which is proportionate to the stated function.
- Persistence & Privilege
- notealways is false and the skill is user-invocable. However, model invocation is enabled by default and the SKILL.md explicitly says wallet commands are executed without user confirmation. That combination can expose sensitive wallet data if the agent invokes the skill autonomously; it's a privacy concern rather than a direct technical incoherence.