Skillv1.1.0

ClawScan security

Soma · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 24, 2026, 12:57 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions legitimately require sensitive credentials and S3/HuggingFace access for participating in SOMA, but the registry metadata omits those requirements and the runtime guidance asks you to export and push secret keys and publish artifacts publicly — a mismatch and some risky practices that you should review before installing.
Guidance: This skill appears to be a comprehensive SOMA contributor guide and does require signing keys, HuggingFace access, and S3 credentials to operate — that is expected for the described workflows. However: 1) the registry metadata does not list these env vars even though the SKILL.md requires them; ask the publisher to fix the manifest so you know exactly what will be needed. 2) Do NOT use mainnet/private production keys for testing — follow the skill's suggestion to use testnet keys and explicitly confirm which network a given key targets. 3) Be cautious about exporting wallet secret keys and pushing .env contents to any cloud provider: prefer using short-lived, least-privilege credentials scoped to a single S3 bucket, and rotate keys after testing. 4) Understand that submission data and even encrypted weights may be published with public-read ACLs per protocol — do not submit proprietary or regulated data. 5) If you plan to run any recommended scripts (federated submitter, commit/reveal), review the quickstart repo code (the docs reference GitHub) before running, and ensure Modal or any orchestration service you use is trusted and configured securely. If the author cannot explain why the registry metadata omits required env vars or refuses to update it, treat the omission as a red flag and do not provide secrets.

Review Dimensions

Purpose & Capability: noteThe SKILL.md and references explicitly describe on-chain signing, S3 uploads, and HuggingFace dataset access — so requesting SOMA_SECRET_KEY, HF_TOKEN, and S3 credentials is coherent with the skill's stated purpose. However, the skill registry metadata lists no required environment variables or binaries even though the runtime docs require the soma CLI and several env vars; that metadata/manifest mismatch is an inconsistency that should be corrected.
Instruction Scope: noteThe instructions stay within SOMA-specific workflows (data submission, scoring, commit-reveal, uploading weights). They do instruct potentially risky actions: exporting secret keys (wallet export), storing secrets in a local .env and pushing them to a cloud secret store (Modal), and uploading submission data / encrypted weights with public-read ACLs. Those actions are functionally consistent with the protocol but increase exposure of sensitive material and could leak private data if misconfigured.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files to execute — lowest installer risk. The docs recommend installing CLI via an external installer (sup) and Python packages via pip, which is typical and expected; nothing in the bundle performs arbitrary downloads or writes to disk at install time.
Credentials: concernThe SKILL.md expects multiple highly sensitive environment variables (SOMA_SECRET_KEY, HF_TOKEN, S3_ACCESS_KEY_ID, S3_SECRET_ACCESS_KEY) which are proportionate to the described capabilities (on-chain signing, dataset access, artifact upload). The concern is the manifest/registry does not declare these required env vars, and the runtime guidance encourages exporting secret keys and pushing them to a remote secret store — both increase risk if a user accidentally supplies mainnet credentials or misconfigures public ACLs.
Persistence & Privilege: okalways:false and disable-model-invocation:false (normal). The skill is instruction-only and does not request permanent presence or attempt to modify other skills or system settings. There is no install step that gives it elevated persistence or system-wide privileges.