Skillv1.0.8

ClawScan security

Quick Intel Token Security Scanner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 26, 2026, 4:41 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions match its stated purpose (pay-per-scan token analysis) and don't ask for unrelated permissions, but be cautious with any wallet keys and note the skill comes from an unknown source.
Guidance: This skill appears to do what it says: call Quick Intel's scan API and pay ~ $0.03 per scan. Before installing or using it: (1) confirm you trust the Quick Intel and recommended wallet service domains (x402.quickintel.io, paysponge.com, frames.ag, etc.), (2) never put your main private key into an environment variable — if you must use programmatic signing, create a dedicated hot wallet with minimal funds ($1–5 USDC) as the docs advise, (3) prefer managed wallet integrations (Sponge/AgentWallet) so no raw keys are stored or exposed to the agent, (4) be aware each scan costs money and will trigger on-chain payment flows, and (5) note the skill's source/homepage is missing — that lowers confidence; if you need higher assurance ask the publisher for a verifiable homepage or open-source reference before proceeding.

Review Dimensions

Purpose & Capability: okThe skill exists to call Quick Intel's scan endpoint and pay a $0.03 x402 payment; the documented wallet integrations (managed wallet API keys or a dedicated hot-wallet private key) are reasonable and proportional to that purpose. There are no unrelated credentials or binaries requested.
Instruction Scope: noteSKILL.md explicitly instructs the agent to POST to the Quick Intel x402 endpoint and to perform payment signing via managed-wallet APIs or programmatic signing. The instructions do not ask the agent to read unrelated local files or exfiltrate unrelated data. Note: the skill includes code patterns that require an X402_PAYMENT_KEY environment variable for programmatic signing — these env vars are presented as 'recommended/advanced' but the registry metadata lists no required env vars.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing will be downloaded or written to disk at install time, reducing install risk.
Credentials: noteThe only sensitive data the skill suggests using are managed-wallet API tokens (SPONGE_API_KEY, AGENTWALLET_API_TOKEN) or a dedicated hot-wallet private key (X402_PAYMENT_KEY) for payments. Those are proportionate to a service that requires on-chain payments, but they are highly sensitive. The skill repeatedly warns to avoid using main wallet keys and to use a minimal-funded dedicated wallet or managed wallet service.
Persistence & Privilege: okThe skill does not request permanent/system-level presence (always:false) and does not modify other skills or system-wide agent settings.