Back to skill
Skillv1.1.0
ClawScan security
Fluora Balance · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 12, 2026, 10:50 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and declared requirements are consistent with its stated purpose: it reads a Fluora wallet file and queries the Base RPC for USDC balance using the ethers library.
- Guidance
- This skill appears to do exactly what it claims: read your Fluora wallets.json and query the Base RPC for USDC balance. Before running: (1) review ~/.fluora/wallets.json to confirm it does not contain unencrypted private keys or other secrets you don't want read by scripts; (2) inspect scripts/check_balance.js (you already have it) and run it locally — it only contacts the Base RPC (https://mainnet.base.org) and the npm registry when you run npm install; (3) run npm install in a controlled environment or inspect package-lock.json (already included) if you have policy concerns about third-party npm packages; (4) be aware the script prints the wallet address and balance to stdout and can output JSON with --json for programmatic use. If you do not trust the source, you can copy the single function into your own trusted environment or manually query the RPC with your own tooling instead.
Review Dimensions
- Purpose & Capability
- okName/description (check USDC balance for Fluora wallet on Base Mainnet) matches the included script and README: the script reads ~/.fluora/wallets.json for the USDC_BASE_MAINNET.address and queries the stated USDC contract on the Base RPC.
- Instruction Scope
- noteInstructions are narrowly scoped to reading ~/.fluora/wallets.json, connecting to https://mainnet.base.org, and querying the USDC contract. This is coherent for the stated task. Note: the script reads the entire wallets.json file (but only uses a specific address field) and prints the wallet address/balance to stdout; if wallets.json contains more sensitive contents (private keys) the file is accessed locally but not transmitted elsewhere by the script.
- Install Mechanism
- okNo packaged installer is provided; the SKILL.md instructs running npm install in scripts/, which will fetch ethers and its dependencies from the npm registry (package-lock.json shows registry.npmjs.org URLs). This is a normal approach for a Node.js script and the lockfile does not show downloads from unusual hosts.
- Credentials
- okThe skill declares no environment variables or credentials and only uses process.env.HOME to locate ~/.fluora/wallets.json. That is proportional to its purpose. The script does print the wallet address and balance to stdout, so users should be aware of that output.
- Persistence & Privilege
- okThe skill does not request persistent presence (always is false), does not modify other skills or system settings, and does not store additional credentials. It runs as a one-off script invoked by the user.