Back to skill
Skillv0.1.0
ClawScan security
Aavegotchi GBM Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 15, 2026, 9:28 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are coherent with its stated purpose (interacting with Aavegotchi GBM auctions on Base) and do not request unrelated access, but it requires a private key so you should protect that credential and follow the safety rules before broadcasting transactions.
- Guidance
- This skill appears to do what it claims (query auctions and optionally send transactions). Before installing or enabling it: 1) Do not put your primary wallet private key into an environment variable unless you understand the risk — prefer a minimal/ephemeral key funded only with the amount you expect to spend, or use a remote signer/hardware wallet if possible. 2) Keep DRY_RUN at 1 while testing; only set DRY_RUN=0 when you explicitly review and approve a broadcast step. 3) Verify GBM_DIAMOND, GHST, USDC, and GBM_SUBGRAPH_URL match the official contract addresses and endpoints you expect. 4) Because the skill can sign transactions, restrict autonomous use (only allow user-invoked flows) unless you fully trust the agent and its runtime environment. 5) Review the linked GitHub repo and the SKILL.md recipes to confirm there are no changes from upstream before use.
Review Dimensions
- Purpose & Capability
- okThe declared binaries (cast, curl, python3) and environment variables (PRIVATE_KEY, FROM_ADDRESS, RPC, GBM_DIAMOND, token addresses, subgraph URL, slippage/prices) are exactly what a tool that reads auctions, simulates, and optionally broadcasts transactions on Base would need. There are no apparently unrelated credentials or binaries requested.
- Instruction Scope
- okSKILL.md is explicit about limiting scope: it uses the Goldsky subgraph and onchain cast calls, requires chain-id and key/address verification, re-fetches subgraph before actions, and provides validators to avoid unsafe shell interpolation. It does not instruct reading arbitrary host files or sending data to unrelated endpoints beyond Goldsky and CoinGecko (price lookup).
- Install Mechanism
- okInstruction-only skill — there is no install spec and no code files executed from a remote URL. This minimizes disk/write risk.
- Credentials
- noteThe primary credential is PRIVATE_KEY, which is appropriate for signing transactions. Most other env vars are relevant. One small inconsistency: the registry metadata lists several env vars as required (e.g., DRY_RUN, RECIPIENT_ADDRESS, GHST_USD_PRICE, ETH_USD_PRICE) while SKILL.md treats some of them as optional/defaulted; that is a metadata vs documentation mismatch but not a functional red flag. Because PRIVATE_KEY is required, this is a sensitive privilege — the skill legitimately needs it to broadcast, but you must protect it.
- Persistence & Privilege
- noteThe skill does not request permanent platform-wide privileges (always:false) and has no install steps. However, it can sign and broadcast transactions using the provided PRIVATE_KEY. While autonomous invocation alone is normal, giving a skill a raw private key increases blast radius if the agent is permitted to act autonomously — the SKILL.md mitigations (DRY_RUN default, explicit checks) partially reduce risk but rely on correct operator behaviour.