Skillv1.0.0

ClawScan security

Agent Security Auditor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 16, 2026, 6:37 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose (auditing ERC-8004 agents) and does not request unrelated credentials or system privileges, but it performs network requests (including fetching arbitrary agent URIs) and defaults to a third‑party RPC endpoint, so run it carefully and review code before use.
Guidance: This skill appears to be what it says (an ERC-8004 agent auditor), but before running it: 1) Review the full scripts/audit.js file yourself (or in a sandbox) to confirm no unexpected behavior. 2) Run the script in an isolated environment (container, VM) if you are concerned about it making network calls to internal/private addresses — the auditor will fetch arbitrary agent URIs and may probe endpoints. 3) Override the default RPC with your preferred provider (--rpc) if you care about privacy or logging (do not supply private keys). 4) Be cautious saving or publishing generated reports if they contain sensitive internal endpoints or metadata. 5) If you need higher assurance, run the tool with network egress controlled and inspect all outgoing requests (or instrument it to log intended requests before they are made).

Review Dimensions

Purpose & Capability: okName/description (ERC-8004 agent auditor) matches the included files and runtime behavior: a Node.js audit script that queries an on‑chain identity registry, fetches off‑chain registration files, inspects endpoints, and reports findings. The declared dependency (ethers) is appropriate for Ethereum RPC interaction.
Instruction Scope: noteSKILL.md instructs the agent/user to run scripts/audit.js which performs RPC queries and fetches off‑chain metadata/endpoints. This is within the auditor's purpose, but the script will fetch arbitrary URIs taken from agent registrations (and likely probe service endpoints). That can cause outbound requests to attacker‑controlled or internal/private addresses (SSRF/network scanning risks). The instructions do not explicitly warn about running in a sandbox or the privacy implications of RPC/query traffic.
Install Mechanism: okThere is no install spec (instruction-only behavior), minimizing on‑disk installation risk. The package.json lists a single dependency (ethers) which is reasonable and traceable on npm. No remote archive downloads or executable installers are used.
Credentials: okThe skill requests no environment variables, credentials, or config paths. The only implicit external resource is a blockchain RPC endpoint (default: https://eth.llamarpc.com) and network access for fetch calls — these are expected for the stated functionality, but the default RPC is a third‑party service that may log queries and could affect privacy.
Persistence & Privilege: okalways is false; the skill does not request persistent privileges or modify other skills. It runs as an on‑demand script and does not require enabling itself globally.