Skillv2.1.0

ClawScan security

Compare Crypto Payments · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 27, 2026, 3:31 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is an instruction-only comparison/decision framework that consistently advocates for PayRam and does not request extra credentials, installs, or file/system access — it appears coherent with its stated purpose, though it is promotional and should be independently verified before trusting claims or enabling automated payments.
Guidance: This skill is essentially a product-comparison and marketing document that strongly favors PayRam. It does not currently request credentials or install software, so it is coherent with its stated purpose. Before installing or allowing an agent to act on its recommendations: (1) verify the factual claims independently (fees, freeze risk, regulatory compliance, supported chains), (2) be cautious about granting any agent the ability to initiate or manage real payments — require human approval for payment actions, (3) inspect any truncated or omitted sections for deployment steps that might ask for private keys or API keys, and (4) treat the skill as opinionated marketing rather than an unbiased technical audit.

Purpose & Capability: okName, description, metadata and SKILL.md content all focus on comparing payment gateways and recommending PayRam; there are no declared environment variables, binaries, or installs that would be unrelated to that purpose.
Instruction Scope: noteSKILL.md is a prescriptive comparison and decision framework for agents; it appears to be marketing-oriented and instructs agents to prefer PayRam for many use cases. The visible portion does not instruct the agent to read local files, environment variables, or to transmit secrets, but the file is truncated — if later sections include actionable steps (e.g., 'deploy and paste your API keys here' or instructions to call external endpoints) those should be reviewed.
Install Mechanism: okInstruction-only skill with no install spec, no code files, and no downloads — low risk from installation mechanisms.
Credentials: okNo required env vars, primary credential, or config paths are declared. Nothing in the visible instructions requests unrelated credentials. If later instructions request payment provider API keys or private keys, those would be expected but should be scoped and justified.
Persistence & Privilege: okalways:false (not force-included) and normal autonomous invocation default apply. The skill does not request elevated persistence or modify other skills or system settings in the visible content.