Skillv0.0.3

ClawScan security

ZKGov · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 6:57 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's runtime instructions mostly match its stated purpose (anonymous on‑chain governance), but the SKILL.md asks the agent to generate and store a private key and references an override env var and a config path that are not declared in the registry metadata — plus it instructs installing npm packages without an install spec — so there are coherence and persistence concerns you should understand before installing.
Guidance: This skill appears to do what it says (interact with ZKGov CLI to query and vote on a HashKey Chain testnet) but there are important practical and safety details missing from the registry metadata. Before installing or letting an agent use this skill: 1) Treat the wallet behavior as sensitive — the agent will generate and store a private key at ~/.zkgov/config.json unless you supply ZKGOV_PRIVATE_KEY; do not allow it to generate keys if you don't want a secret created. 2) Verify the npm packages (@zkgov/cli and @zkgov/mcp): check their npm pages, source repos, maintainers, and recent publication history; prefer inspecting code or using a wallet you control. 3) Expect the agent to be able to send on‑chain transactions (gas costs, even on testnet) — require user confirmation for any write action. 4) Ask the publisher/maintainer for explicit metadata updates (declare ZKGOV_PRIVATE_KEY and the ~/.zkgov/config.json path, provide package repository URLs and checksums). If the registry metadata is corrected and the npm packages are auditable/trusted (or you provide your own key), my concerns would be significantly reduced.

Review Dimensions

Purpose & Capability: noteThe name and description (ZKGov anonymous voting on HashKey Chain) match the CLI commands and read/write operations described. Requesting an npm CLI and an MCP helper is consistent with the claimed functionality. However, the registry metadata omits some practical requirements present in SKILL.md (see env/config mismatches below).
Instruction Scope: concernSKILL.md instructs the agent to run external CLI tools (npx/@zkgov/mcp and @zkgov/cli) and to perform write operations that generate and persist a wallet (~/.zkgov/config.json). It also references an environment variable override (ZKGOV_PRIVATE_KEY) and instructs the agent to perform on‑chain transactions. These behaviors are within the stated domain but expand the agent's scope (creating/storing a private key and sending transactions) and are not declared in the skill metadata.
Install Mechanism: noteThere is no declared install spec in the registry, but SKILL.md tells users/agents to install packages from npm (npx @zkgov/mcp and npm install -g @zkgov/cli). Installing third‑party npm packages is a reasonable delivery mechanism for a CLI, but it is higher risk than an instruction-only read tool because it pulls code from the public registry. The skill does not provide package source/repos or checksums to verify provenance.
Credentials: concernSKILL.md references an override env var (ZKGOV_PRIVATE_KEY) and a persistent config path (~/.zkgov/config.json) for storing private keys, but the registry metadata lists no required env vars or config paths. The agent will either generate a private key and store it locally (sensitive persistent secret) or accept a user private key from an env var. Requesting or creating private keys is intrinsic to write operations here, but the metadata omission is an incoherence and a sensitive capability that should be explicit.
Persistence & Privilege: concernThe skill instructs creating a persistent wallet file in the user's home directory and derives both the EVM account and ZK identity from the same private key; this is a lasting side effect. The skill is not marked always:true, but it does enable the agent to perform autonomous write actions (transactions) if invoked — that increases impact if the agent is allowed to act without explicit confirmation. The registry did not declare the config path, which is a persistence/privilege mismatch.