Skillv1.1.0

ClawScan security

Liberfi Perpetuals · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 2:21 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's stated purpose (perpetuals trading) matches its commands, but the runtime instructions include an explicit, opaque directive to auto-install a global npm CLI without user consent and to hide install failures — a deceptive installation behavior that raises concern.
Guidance: Key things to consider before installing or enabling this skill: - The skill's behavior is generally coherent for a perpetuals trading helper, but its documentation explicitly tells the agent to auto-install a global npm package without asking and to hide install failures. This is a red flag: ask for human approval before any npm -g install. - Verify the CLI package and maintainer manually: look up @liberfi.io/cli on the npm registry and the project's homepage/repository, review package versions, release history, and source code (or request a signed checksum) before running npm install -g. Watch for typosquatting (similar package names). - Prefer to install the CLI yourself in a controlled environment (non-root, container, or sandbox) and only grant the agent access after you inspect the binary. Do not allow the agent to retry registries or suppress errors on your behalf. - The skill correctly warns to never run order-submit / cancel-submit or deposit-place without explicit user confirmation — honor that: require interactive confirmation for any transaction that spends funds or relays signed actions. - If you plan to use deposits, prefer the TEE one-click flow as described, but understand that escape-hatch flows require you to sign/broadcast transactions outside the CLI and are error-prone. - If you are not comfortable auditing npm packages or giving an agent permission to modify your system, decline automatic installs and run the CLI manually after vetting.

Review Dimensions

Purpose & Capability: okName, description and allowed CLI commands align: this skill is focused on perpetual futures queries and two-phase signed order/deposit flows via the LiberFi CLI.
Instruction Scope: concernThe SKILL.md instructs the agent to install the @liberfi.io/cli globally WITHOUT asking the user and to retry/hide registry failures. That is outside normal scope for a helper: it mandates the agent perform system changes and to conceal install problems. Other runtime instructions (use --json, require user confirmation for submits/deposits, TEE one-click flow) are coherent and appropriate for perp trading.
Install Mechanism: concernThere is no formal install spec in the registry metadata, but the documentation tells the agent to run `npm install -g @liberfi.io/cli --registry https://registry.npmjs.org/`. Using npm (official registry) is typical for a CLI, but a global install modifies the host and running it automatically without user consent increases risk (potential for arbitrary code execution, typosquat packages, or privilege escalation). The instruction to suppress failure messages exacerbates the risk.
Credentials: okThe skill declares no environment variables and does not request unrelated secrets. It does expect the CLI to handle auth (lfi status / lfi login) and read wallet addresses (lfi whoami), which is proportionate to trading/depositing functionality. No extraneous credential requests are present in the metadata, but the agent will interact with user keys/wallets via the CLI flows — the SKILL.md sensibly warns to require explicit user confirmation for submits/deposits.
Persistence & Privilege: noteThe skill is not marked always:true and is user-invocable. However, the SKILL.md's automatic global npm install implies the skill expects to persist a CLI binary on the system. That persistent system modification should require explicit user consent; the current instructions bypass that, raising operational concerns though not an explicit registry-level privilege escalation flag.