Skillv4.0.0

ClawScan security

Agent Swarm · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 25, 2026, 5:12 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill largely matches its stated XMTP + on‑chain escrow purpose, but contains undocumented requests for sensitive credentials and auxiliary instructions (social media automation, local credential reads) that do not align with the declared metadata — review carefully before use.
Guidance: What to check before installing or running this skill: - Do not paste your real private key into .env until you audit the code. The skill expects WALLET_PRIVATE_KEY and RPC details — use an ephemeral wallet with minimal funds for testing. - Inspect cron-message.txt and any scripts referencing /home/oryx/.openclaw/... or .x_credentials. Those instructions ask to read local credential files and post to api.x.com (Twitter/X) — unrelated to the protocol and a potential exfiltration path. Remove or ignore these scripts if you don't want social‑posting behavior. - Review package.json and package-lock.json for third‑party packages that will be installed (they run code at runtime). Consider installing in an isolated environment (container, VM) and do an offline code review first. - Verify the escrow contract address on BaseScan (the SKILL.md points to a contract address and BaseScan link). Confirm its source and that it behaves as claimed before locking funds. - Avoid running live-demo or scripts that auto-swap funds (Uniswap/autoswap) on mainnet until you understand wallet-swapping logic and approvals. - If you need the feature but want minimal risk: run the demo on XMTP dev/test and Base testnet with an ephemeral wallet, and remove/disable any cron or social media automation files. If anything is unclear, ask the publisher for justification of the social‑posting automation and for an explicit list of required environment variables and their purposes. Refuse to provide unrelated credentials (OAuth tokens from other tools) to this skill.

Review Dimensions

Purpose & Capability: noteThe codebase, package.json, and SKILL.md implement XMTP messaging, wallet utilities, and on‑chain escrow (ethers, @xmtp/agent-sdk, escrow contract) which is consistent with the described purpose. However the registry metadata declares no required environment variables while the runtime instructions and many scripts clearly expect an Ethereum private key and network/RPC config — an omission that is a mismatch between declared requirements and actual needs.
Instruction Scope: concernThe main SKILL.md and demo scripts instruct using a local .env with WALLET_PRIVATE_KEY and RPC details (expected), but the repository also includes a cron-message.txt with explicit instructions to read local files (/home/oryx/.openclaw/workspace/.x_credentials and memory logs) and to post using the X (Twitter) API (api.x.com). Those steps involve reading local credential files and sending network requests unrelated to the core XMTP/escrow protocol — this is scope creep and a potential exfiltration vector.
Install Mechanism: noteThere is no remote download/install spec in the skill manifest (install is local via npm install in the skill directory). That reduces supply‑chain mystery, but the repository includes a large node project and many dependencies (including wallet/sdk packages). Installing will run many third‑party packages locally; audit package.json and package-lock.json before installing in a trusted environment.
Credentials: concernAlthough the registry lists no required env vars, SKILL.md and scripts require WALLET_PRIVATE_KEY plus XMTP_ENV, NETWORK, CHAIN_ID, USDC_ADDRESS, RPC_URL, ESCROW_ADDRESS. A private key is legitimately needed for payment functionality, but cron-message.txt also instructs exporting .x_credentials (OAuth tokens) and using them to post to api.x.com — those credentials are unrelated to the described agent marketplace and are not declared. Requesting/using unrelated local credentials is disproportionate and risky.
Persistence & Privilege: concernThe skill is not marked always:true, but it includes cron-style instructions (cron-message.txt) that direct periodic engagement and instruct reading/writing to local memory files and credential files. If the agent or user were to schedule/automate those scripts, the skill could persistently access local credentials and external APIs. Combined with autonomous invocation this increases blast radius; exercise caution.