Skillv1.0.20

ClawScan security

BNBCHAIN Protocol & Matrices Analysis — Powered by ClipX · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 8, 2026, 11:34 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally coherent: it's a thin Python CLI/formatter that calls a private ClipX HTTP API and returns preformatted text tables; it requests only Python and no credentials.
Guidance: This skill is a thin HTTP client that will send requests to the default server https://skill.clipx.app (or any URL set in CLIPX_API_BASE). The package itself does not request credentials, but any data you submit to the CLI (for example an address for balance lookup) will be sent to the remote API—so verify you trust the endpoint and owner before sending sensitive addresses or other data. The source has no homepage and the owner ID is unknown; if you need higher assurance, review/run the code locally or set CLIPX_API_BASE to a trusted server. Also avoid setting environment variables or config that point the client at an untrusted host.

Purpose & Capability: okName/description, required binaries (python), included files (api_client_cli.py, format_box.py), and the commands in SKILL.md all consistently implement a thin HTTP client + formatter for BNBChain metrics. Nothing in the repo requires unrelated services or secrets.
Instruction Scope: noteSKILL.md strictly instructs the agent to run the included CLI and pass through server-formatted output; the runtime instructions do not read arbitrary local files or request unrelated environment variables. Note: the CLI supports a metrics_address mode (sends an address to the remote API) and other modes that will POST/GET user-supplied parameters — so any user-provided addresses or inputs will be transmitted to the remote API (expected for the stated functionality).
Install Mechanism: okNo install spec is provided (instruction-only), and requirements.txt only lists requests. Nothing is downloaded from external URLs or written to system paths during install.
Credentials: noteNo required env vars or credentials. There is an optional CLIPX_API_BASE env var to override the API base URL; this is reasonable for a client but means the endpoint the client contacts can be changed locally. No secret keys are requested.
Persistence & Privilege: okalways is false and the skill does not modify other skills or system-wide agent settings. It does not persist or request elevated privileges.