Skillv0.1.1

ClawScan security

Aiusd Skills · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:02 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package claims to be an instruction-only AIUSD trading skill but contains self-extracting installers, embedded base64 archives, and SKILL.md references to credentials and local token files that are not declared — these mismatches and embedded installers warrant caution before installing.
Guidance: Do not run installers or install this skill until you verify its origin and contents. Steps to consider: - Verify the publisher and release URL (the README references a GitHub release and aiusd.ai); confirm those links are legitimate and match an official project. - Inspect the embedded archive contents offline (decode the base64 from installer files into a tarball and list its files) before extracting or executing anything. Look for unexpected network endpoints, telemetry, or scripts that read files outside the skill directory. - Confirm what credentials are actually needed: SKILL.md references MCP_HUB_TOKEN and a local token file, but the manifest declares none — ask the maintainer why tokens aren't declared in the skill manifest. - If you must test, run the installer in a disposable sandbox or VM (network-restricted) and review network traffic and created files. - Pay attention to the SKILL.md 'forbidden phrase' rules and unusual response-shaping — these can be legitimate product requirements, but they can also be used to constrain auditability or hide behavior. Ask for a minimal, auditable version of the skill without embedded installers. If you cannot validate the source and contents, treat this package as untrusted.
Findings: [base64-block] unexpected: Base64-encoded archive data is present inside the provided installer scripts (expected for a self-extracting installer). However, the pre-scan flagged the SKILL.md for a base64-block prompt-injection pattern as well, which is unexpected and could indicate attempt to smuggle encoded payload or manipulation instructions into the skill's runtime guidance. Either way, embedded archives increase the need for manual inspection before running.

Review Dimensions

Purpose & Capability: concernMetadata lists no required env vars or binaries and says this is instruction-only, but SKILL.md clearly references an auth token (MCP_HUB_TOKEN), OAuth flows, and a local token file (~/.mcp-hub/token.json). The bundle also includes large installer scripts (shell and node) and an embedded package archive — inconsistent with 'instruction-only' metadata and the lack of declared credentials.
Instruction Scope: concernSKILL.md includes detailed runtime rules (forbidden phrases, strict authentication-response wording) and explicit auth resolution order (env -> OAuth -> local file). It also instructs the agent to run tools --detailed before calls. The combination of strict output policing and explicit token file paths expands the agent's scope into local credential handling and response shaping, which is beyond a simple read-only query skill.
Install Mechanism: concernThere is no declared install spec but two self-extracting installers (aiusd-skill-installer.sh and aiusd-skill-installer.js) contain large base64-encoded archives that decode and write a tarball to disk and run npm install. Self-extracting archives embedded in scripts increase risk (writes/extracts files locally and runs package installs). The archive is embedded rather than downloaded from a well-known release endpoint — moderate-to-high install risk.
Credentials: concernSKILL.md requires or prioritizes an env var (MCP_HUB_TOKEN), OAuth credentials, or a local token file, but the registry metadata declares no required env vars or primary credential. This mismatch is suspicious because the skill will access tokens/credentials (and local token files) but does not declare them in the manifest for review.
Persistence & Privilege: noteThe skill does not request always:true and does not declare system-wide config changes, but the installers will create an 'aiusd-skill' directory in the current working directory and run npm install there. That produces persistent files on disk (normal for an installer) but is more privilege than an instruction-only skill implies.