Skillv0.4.22

ClawScan security

Caravo Service Marketplace · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 12:41 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (a marketplace CLI) lines up with its requirements (Node + an API key + an npm CLI), but there are inconsistencies and operational risks — notably automatic wallet creation/payments and registry metadata mismatches — that warrant caution before installing or enabling it.
Guidance: This skill is plausible for a service marketplace but take these precautions before installing or enabling it: - Verify the npm package and GitHub repo: inspect @caravo/cli source code (the SKILL.md points to https://github.com/Caravo-AI/Agent-Skills and caravo.ai) and the package published on npm to confirm it does what it claims. - Treat the generated ~/.caravo/wallet.json as a sensitive secret: the CLI will create a local wallet and can sign micropayments. Consider funding the wallet with only a small amount for testing. - Do not expose high-value API keys or production credentials to the skill. Use a dedicated CARAVO_API_KEY for testing and limit agent autonomy for any paid operations (require human approval). - Because installation runs arbitrary Node code, run the CLI in a controlled environment (container or VM) if you need to audit behavior first. - Resolve metadata mismatches with the publisher (missing homepage in registry summary, 'required env vars' inconsistency) before trusting automatic install or payments. If you can't or won't inspect the package/source, treat this skill as potentially risky for financial or data-exfiltration impact and avoid enabling autonomous invocation for paid tasks.

Review Dimensions

Purpose & Capability: noteName and description match the required pieces: Node + an npm CLI package (@caravo/cli) + a CARAVO_API_KEY credential are all coherent for a marketplace/CLI integration. However the registry summary shows 'Required env vars: none' while the skill declares a primaryEnv of CARAVO_API_KEY, and the registry metadata provides no homepage though SKILL.md references caravo.ai and GitHub. These metadata inconsistencies should be resolved.
Instruction Scope: concernThe runtime instructions require running 'npx -y @caravo/cli@latest start' on first use, and the CLI will auto-generate a local wallet (~/.caravo/wallet.json) and handle micropayments automatically. That goes beyond mere data lookup: the skill can cause financial actions, create and store private keys locally, and proxy calls to many external services (email, SMS, scraping, model inference). Those behaviors are plausible for a marketplace but materially expand the agent's power and risk — the SKILL.md asserts constraints (only touch ~/.caravo) but there is no code included here to verify those claims.
Install Mechanism: noteInstall is via a published Node package (@caravo/cli) which is a common, expected mechanism. NPM installs run untrusted code at install/run time; this is moderate risk but not unusual for a CLI. There is no direct download-from-URL or obscure host, which lowers risk. Because this skill is instruction-only, the npm package will be the executable code executed on first use — inspect the package and GitHub repo before trusting it.
Credentials: concernRequiring a CARAVO_API_KEY as the primary credential is reasonable for a marketplace, but the registry metadata's omission of required env vars conflicts with the SKILL.md's primaryEnv. More importantly, the CLI auto-generates and stores a local USDC wallet (wallet.json) which contains private keys used to pay providers; that file is a high-value secret on disk. The skill can therefore trigger spendable actions without provider-specific keys, so the financial blast radius is larger than a simple API key. The skill does not require other provider credentials, which is coherent, but the payment/wallet behavior increases sensitivity.
Persistence & Privilege: okalways:false (not forced into every agent) and no special system-wide privileges are requested. The skill does create and use files under ~/.caravo/, which is consistent with its stated wallet/config behavior. Note: default agent autonomy (disable-model-invocation:false) combined with the ability to make payments increases potential impact if the agent is allowed to act without human confirmation.