Skillv1.0.1

ClawScan security

Credex Protocol · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:25 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions mostly match its stated DeFi purpose, but there are mismatches and network/exfiltration risks you should understand before using it (notably a missing declared required env var in registry metadata and runtime HTTP calls to an agent URL that can be pointed at an untrusted server).
Guidance: This skill implements the described lending and LP features and legitimately needs a wallet private key to sign transactions, but there are important cautions: 1) Registry metadata omits required env vars — assume you must provide WALLET_PRIVATE_KEY and RPC_URL; do not trust the metadata alone. 2) The borrower CLI contacts an agent server at CREDEX_AGENT_URL (default http://localhost:10003). If you set CREDEX_AGENT_URL to a remote URL, that remote service will receive agent addresses, status queries and borrow/repay requests; do not point it to an untrusted or non-TLS endpoint. 3) Keep your private key out of long-lived global envs and avoid using a key with significant funds — test with a throwaway/testnet key first. 4) Inspect the included scripts (they are present) and the package-lock.json yourself or run them in an isolated/sandbox environment; dependencies are standard npm packages but will be fetched at runtime when using npx/ts-node. 5) Prefer running operations locally (ensure CREDEX_AGENT_URL is localhost) or using a hardware wallet / signing service you control. If you need this skill in production, request the author to: update registry metadata to declare required env vars, document agent API semantics and security, and provide HTTPS agent defaults or signed-agent verification.

Review Dimensions

Purpose & Capability: concernThe skill claims DeFi/credit operations and the code implements borrowing, repaying, LP operations, and bridging — so capabilities align with the description. However, the registry metadata declares "Required env vars: none" and "Primary credential: none," while SKILL.md and the scripts require WALLET_PRIVATE_KEY (mandatory) and RPC_URL — this metadata omission is an incoherence that could mislead users about required sensitive credentials.
Instruction Scope: concernSKILL.md instructs the agent to run the included scripts which (correctly) sign transactions with WALLET_PRIVATE_KEY and call on-chain contracts. The borrower script additionally sends HTTP requests to CREDEX_AGENT_URL (default http://localhost:10003) for /borrow, /repay, /status endpoints. While the default is local, CREDEX_AGENT_URL can be set to any URL; those requests include agentAddress and other state and could be redirected to an external service. The instructions do not explicitly warn users about the risk of pointing CREDEX_AGENT_URL to untrusted servers or using non-TLS endpoints.
Install Mechanism: noteThere is no install spec (instruction-only at registry level), but the package includes package.json and package-lock.json and depends on standard npm packages (ethers, Circle bridge libs, dotenv). Running the scripts with npx/ts-node will cause npm to fetch packages. Dependencies appear to come from public npm — no arbitrary URL downloads — but executing the scripts will run code with network access and wallet signing capability.
Credentials: concernThe skill requires a private key (WALLET_PRIVATE_KEY) — appropriate for signing transactions — and an RPC_URL. However the registry metadata does not declare these required env vars, creating an expectation gap. CREDEX_AGENT_URL is optional but writable by the user; if set to a remote HTTP(s) server it can observe and interact with the skill's requests. The number and sensitivity of env vars is proportionate to the function, but the missing declaration and presence of an externally configurable agent endpoint raise risk of credential-related misuse if the user points the agent URL to an attacker-controlled service.
Persistence & Privilege: okThe skill does not request permanent/global presence (always:false) and does not modify other skills or system-wide settings. It does not persist credentials on disk itself. Autonomous invocation is allowed (platform default) but not combined with other strong red flags here.