Skillv1.0.2

ClawScan security

AIresearchOS · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:48 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill largely matches its stated purpose (submit research, background checks, optional on-chain payments), but there are several inconsistencies and sensitive operations (npm installs, private-key-based payments, cron scheduling) that are not fully declared in the metadata and warrant caution.
Guidance: This skill appears to do what it claims (submit research, poll status, optionally perform pay-per-request using x402), but take these precautions before installing: - Metadata mismatch: the skill requires Node.js and npm at runtime (scripts call `node` and `npm install`) but the metadata only lists `curl`. Ensure your environment has Node 18+ and that the skill metadata is updated. - Private-key risk: using x402 requires setting AIRESEARCHOS_WALLET_KEY (a 0x private key). Only use a dedicated wallet with limited funds and review the code carefully. The private key grants the skill the ability to sign on-chain payments. - npm install risk: the skill will run `npm install` in its scripts directory and fetch @x402/core, @x402/evm, and viem. Audit those dependencies and their versions before allowing automatic installs. - Background cron behavior: the skill schedules cron jobs to run node scripts in the background. Confirm your policy for background jobs and that the agent will prompt you before initiating payments. If you rely on x402, the agent must enforce explicit user confirmation for each paid request. - Missing env declarations: ask the publisher to update metadata to declare required binaries (node, npm) and required env vars (AIRESEARCHOS_WALLET_KEY, optional AIRESEARCHOS_BASE_URL) so the capability/requirement mapping is transparent. If the publisher can (1) update metadata to list node/npm and wallet env var, (2) provide verifiable package versions or a lockfile for npm deps, and (3) clearly document and enforce interactive confirmation for any x402 payment, the risk profile would be much lower. Until then, treat the skill as sensitive and consider using API-key-only mode or a sacrificial wallet for x402 payments.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (deep research + optional x402 payments) align with the included scripts and instructions: API-key submission, status checking, and an x402 payment helper. However metadata lists only 'curl' as a required binary and declares only AIRESEARCHOS_API_KEY as primaryEnv, while the runtime actually requires Node.js/npm and optionally AIRESEARCHOS_WALLET_KEY for x402 payments. That mismatch is disproportionate to the declared requirements.
Instruction Scope: concernSKILL.md instructs the agent to run npm install in the scripts directory, execute node scripts that read env vars, schedule cron background checks, and (for x402) use a wallet private key to sign payments. The runtime instructions reference env vars and binaries not listed in the metadata (node, npm, AIRESEARCHOS_WALLET_KEY, optional AIRESEARCHOS_BASE_URL) and instruct autonomous background scheduling via the cron tool. All of these are within the claimed purpose but the instructions grant the skill the ability to (a) perform on-chain payments using a private key and (b) install third-party npm packages — both of which have sensitive side effects and should have been declared and highlighted.
Install Mechanism: noteThere is no formal install spec, but SKILL.md directs the agent to run 'cd {baseDir}/scripts && npm install' on first x402 use. That will pull @x402/core, @x402/evm, and viem from npm (moderate-risk: standard registry packages). No arbitrary URL downloads or archives, but the skill assumes node/npm are available (not declared), and the automatic npm install means code from public registries will be written to disk — reviewers should audit package versions and trustworthiness before allowing that.
Credentials: concernprimaryEnv (AIRESEARCHOS_API_KEY) is declared, which fits the API-key path. However the skill also requires AIRESEARCHOS_WALLET_KEY for x402 payments (a 0x-prefixed EVM private key), but that env var is not listed in the metadata's requires.env. Requesting a private key is proportionate to on-chain payments, but it is high-risk: the skill can sign transactions and spend funds. The SKILL.md does instruct to confirm payments, provides a --max-payment safety check, and recommends not exposing the key elsewhere — but the missing declaration and the sensitive nature of private keys are important concerns.
Persistence & Privilege: okalways is false (normal) and the skill does not request to modify other skills or system-wide settings. It does instruct scheduling background cron jobs to run the provided check-status script; that enables asynchronous autonomous activity which is reasonable for status polling. Combined with wallet access, background autonomy increases blast radius for payments — the skill instructs to confirm before payments, but the platform's enforcement depends on the agent and runtime policies.