Skillv1.0.2

ClawScan security

Potato Tipper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 26, 2026, 1:45 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and docs are coherent with its stated purpose (configuring an on‑chain PotatoTipper), but the registry metadata does not declare the sensitive environment variables the runtime scripts and examples actually require (notably a PRIVATE_KEY), and the skill includes a clone-and-execute script that will broadcast transactions if run — these mismatches and the ability to cause on‑chain effects are a meaningful red flag.
Guidance: Do not paste or upload your private key into the agent. The skill's scripts and examples require a controller PRIVATE_KEY and will broadcast transactions (set data on your Universal Profile and authorize token operator allowances). The registry metadata failing to declare those env vars is a red flag — assume the skill will ask you to provide them if you follow the 'one-click' path. If you want to use this skill safely: - Review the included code locally (repo is on GitHub) before running anything. - Run setup only from your own trusted environment (not by pasting secrets into a chat/agent) and use a test account on testnet first. - Prefer granting minimal controller permissions and temporary budgets; consider toggling permissions off after setup. - If you must interact via an agent, restrict it to read-only operations (code review, explanation, or encoding helpers) and refuse any request to supply PRIVATE_KEY or other secret values. - If the registry metadata is supposed to list required env vars, ask the publisher to correct that mismatch before trusting automated flows.

Review Dimensions

Purpose & Capability: noteThe name/description (install PotatoTipper on a LUKSO Universal Profile) matches the provided files: ABIs, encoding helpers, Foundry/TypeScript examples, and a setup script. However the registry metadata claims 'Required env vars: none' while the scripts and SKILL.md explicitly require a controller PRIVATE_KEY and several other env vars (TIP_AMOUNT, UP_ADDRESS, etc.). That mismatch is unexpected and warrants caution.
Instruction Scope: concernSKILL.md and included files provide step-by-step setup that instructs cloning the GitHub repo and running a Foundry script which expects PRIVATE_KEY and will broadcast transactions to the LUKSO RPC. The runtime instructions therefore go beyond passive reading: they direct actions that change on‑chain state and authorize token allowances. This is within the skill's stated purpose but requires handling a private key and running repo code — both high-risk operations if done via an agent or without manual oversight.
Install Mechanism: noteThere is no formal install spec (instruction-only), but the included shell script clones a public GitHub repo (github.com/CJ42/potato-tipper-contracts) and executes a Foundry script. Cloning from GitHub is a common, traceable pattern (lower risk than arbitrary URLs), but executing code from a remote repo that will broadcast transactions increases risk and should be done locally by the user after manual review.
Credentials: concernThe skill effectively requires a sensitive PRIVATE_KEY (EOA controller key) plus other env vars to perform its main function, yet the registry metadata lists no required env vars or primary credential. Asking for a private key is proportionate to the action of configuring a UP on-chain, but the omission in metadata is an incoherence and a security concern: the agent or script may prompt for or request sensitive credentials unexpectedly. Also the scripts authorize an operator on the user's token (spend allowance), which is a powerful action and must be considered by the user.
Persistence & Privilege: noteThe skill does not request permanent presence (always:false) and does not modify other skills or global agent settings. The default ability for the agent to invoke the skill autonomously is allowed by platform defaults; combined with the above credential/transaction concerns this increases potential blast radius if the agent were given a private key or instructed to run the setup automatically. Treat autonomous runs as risky when private keys are involved.