Skillv0.1.6

ClawScan security

Overlay Market (perpetual futures trading) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 12, 2026, 1:59 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, runtime instructions, and optional environment variables are coherent with a BSC perpetual-futures trading tool; it asks for only the credentials and network access expected for that purpose and does not contain obvious misdirection or unexplained exfiltration.
Guidance: This skill appears to do what it says, but take these practical precautions before installing or using it: - Never put a high-value raw private key into OVERLAY_PRIVATE_KEY. Prefer an external signer, a multisig (Safe), or a dedicated low-value wallet as the README recommends. Use --owner and dry-run where possible. - The skill uses a default Overlay-operated proxy for 1inch calls; that proxy will observe swap request details. To avoid that, set ONEINCH_API_KEY so the skill calls api.1inch.dev directly. - Verify the contract addresses (CONTRACTS.*) and external endpoints (api.overlay.market, api.goldsky.com) yourself before sending real transactions — the registry lists an unknown source and no homepage. - Run npm install in an isolated environment and audit dependencies (npm audit / inspect viem versions). Consider running the code in a sandbox or container first. - Use dry-run/simulation options frequently (build.js/unwind.js support simulation) and test with a low-value wallet. - Review send.js's allowed-target list and understand it enforces only SHIVA and USDT token calls; if you change the code, re-audit those checks. If you want a deeper assurance: ask the publisher for a verifiable source repo or signed release, or request a code review focusing on the proxy usage and dependency supply chain. If you cannot verify the origin, treat the skill as untrusted tooling and restrict the wallet used with it.
Findings: [PROCESS_ENV_RPC_PLUS_NETWORK_CALL] expected: common.js uses process.env.BSC_RPC_URL as the RPC endpoint (transport target) and then makes network calls to that endpoint; the SKILL.md explicitly documents this and explains it is not exfiltration but intended configuration. [READFILESYNC_PLUS_NETWORK_CALL] expected: readFileSync is used for a local .cache directory (market data caching). The SKILL.md explains cached data originates from network responses and cached files are not transmitted to external services.

Review Dimensions

Purpose & Capability: okName/description match the included scripts (scan, chart, build, unwind, send, approve, balance, positions). Required network endpoints and contract addresses are consistent with trading on Overlay Protocol on BSC. No unrelated credentials or binaries are requested.
Instruction Scope: noteRuntime instructions and scripts operate within the trading domain: they call Overlay APIs, a Goldsky subgraph, 1inch (or an Overlay proxy), and BSC RPC; read/write a local .cache directory; and optionally derive/sign transactions from OVERLAY_PRIVATE_KEY. Notable: unwind.js/build.js may request 1inch swap calldata via a default Overlay-operated Cloudflare Workers proxy (1inch-proxy.overlay-market-account.workers.dev) unless you set ONEINCH_API_KEY to call api.1inch.dev directly. The proxy will see swap request details — this is documented in SKILL.md but is a privacy/operational consideration, not an unexplained action. The code reads .cache but does not transmit its contents.
Install Mechanism: okThis is instruction-only (no install spec). SKILL.md asks to run npm install (package.json depends on 'viem'). Pulling viem and its normal crypto dependencies from the public npm registry is expected for Ethereum/BSC tooling. No downloads from untrusted URLs or archive extraction are present.
Credentials: okOnly optional env vars are referenced: OVERLAY_PRIVATE_KEY (for signing), BSC_RPC_URL, and ONEINCH_API_KEY. Each is directly used by the scripts for signing, RPC endpoint, or calling 1inch; no unrelated secrets or system credentials are requested.
Persistence & Privilege: okThe skill is not 'always' enabled and does not request persistent system-wide privileges. It does not modify other skills or global agent settings. Autonomous invocation is allowed by default (platform behavior) but not combined with extra privileges here.