Skillv0.1.2

ClawScan security

Send Token · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 3, 2026, 9:55 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (sending tokens) matches its instructions, but there are inconsistencies and runtime risks — notably it relies on npx to fetch and run a remote CLI package (not declared) and does not declare how wallet credentials are accessed — so exercise caution.
Guidance: This skill appears to do what it says (send tokens), but before installing or using it you should: 1) Confirm you have and trust the @openant-ai/cli package on npm (review its npm/GitHub page and prefer a pinned version rather than @latest). 2) Be aware that running the provided commands will cause npx to download and execute remote code at runtime — this can run arbitrary code on your machine. 3) Verify how your wallet/authentication is stored and that you’re comfortable the CLI will only use keys to sign transactions (check the authenticate-openant flow). 4) When using the skill, always double-check recipient addresses, chain selection, and gas reserves; consider running CLI commands yourself (not via an agent) until you trust the tool and package. 5) If you do install/use it, prefer manual invocation or require explicit human confirmation for any send operation; avoid granting this skill autonomous permission to execute transfers.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (send tokens on Solana/Base) aligns with the actions described in SKILL.md. However, the instructions require running 'npx @openant-ai/cli@latest', yet the skill metadata lists no required binaries or install steps. At minimum this implies the environment must have node/npm (or otherwise be able to run npx), which is not declared.
Instruction Scope: okThe SKILL.md stays focused on token transfers: it instructs checking status and balance, mapping NL to CLI args, and explicitly requires explicit user confirmation before sending. It does not instruct reading arbitrary files or exfiltrating unrelated data. The 'override RPC' option could be used to point to arbitrary RPC endpoints, which is expected functionality but increases attack surface if misused.
Install Mechanism: concernThere is no install spec, but the instructions rely on 'npx @openant-ai/cli@latest'. npx dynamically fetches and executes a package from the npm registry at runtime. That means arbitrary remote code could be executed when the agent runs these commands. Using npx is common, but it is a runtime code fetch that should be acknowledged and vetted (verify package ownership, version pinning, and review source).
Credentials: noteThe skill declares no required env vars or config paths, but it implicitly depends on the OpenAnt CLI being authenticated to a wallet (mentions an 'authenticate-openant' skill). The SKILL.md does not state where keys/credentials are stored or accessed (local CLI config, OS keychain, hardware wallet, etc.). That omission is noteworthy because token transfers require access to signing credentials; the user should confirm how authentication is managed and protected.
Persistence & Privilege: okThe skill does not request permanent presence (always:false) and does not modify other skills or system-wide config. disable-model-invocation is false (normal). There is no evidence it requests elevated platform privileges.