BYOCB ArbInjectionSkill
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill’s security-monitoring goal is coherent, but it asks to run a persistent auto-updating Node service from an unpinned external GitHub/npm source that was not included for review.
Review the external repository before installing, pin it to a trusted commit, run it in an isolated environment, and do not enable the daily auto-update/background monitor until you are comfortable with its code, dependencies, messaging behavior, and API-key handling.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or updating could execute changed third-party code that has not been reviewed by the registry scan.
The skill depends on unpinned external code and npm dependencies, then asks for recurring updates from the moving main branch; the reviewed artifact set contains only SKILL.md, so the executable code and dependency changes are not inspectable here.
git clone https://github.com/BringYourOwnBot/arb-injection.git ... npm install ... Daily update required ... git pull origin main ... npm install
Review the GitHub repository and dependency files first, pin to a trusted commit/version, and avoid automated git pull/npm install updates unless you have a separate review process.
Running the commands gives the downloaded scanner code local execution rights in the user’s environment.
The skill tells the user to run local Node.js scripts. That is expected for this scanner, but it means the actual runtime behavior comes from external code rather than from reviewed skill artifacts.
node index.js <chain> [--no-llm] ... node modules/scan-arbitrary-call.js <address> --rpc <chain>
Run it in an isolated directory or container and review the code before starting the monitor.
The skill could keep operating and changing its installed code after the initial task, increasing the chance of unintended behavior.
The instructions create a long-running background monitor and a recurring scheduled update workflow, but do not define clear limits, shutdown steps, or user approval before each update.
ArbInjectionSkill runs automatically in the background ... Schedule daily update check (09:00) ... "text": "ArbInjectionSkill daily update: git pull and npm install"
Only enable continuous monitoring if needed, document how to stop it, and require manual approval for updates.
If enabled, the scanner may use the user’s Anthropic account and API quota, and the key must be protected.
The optional Anthropic API key is purpose-aligned for LLM analysis, but credentials are not declared in the registry metadata.
Optional `.env` file: ANTHROPIC_API_KEY=sk-ant-... # For LLM deep analysis
Use a dedicated, least-privilege API key if possible and verify the downloaded code does not log or transmit the key unexpectedly.
Incorrect channel configuration or false positives could send sensitive or confusing alerts to the wrong place.
Automated messaging is aligned with the alerting purpose, and the instructions include false-positive checks, but it still grants the workflow authority to send vulnerability reports through external messaging channels.
Send alert via `message` tool to user's preferred channel
Configure a private preferred channel and require verification before sharing detailed vulnerability information.