Skillv1.0.0

ClawScan security

BYOCB ArbInjectionSkill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 10, 2026, 4:23 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (scanning EVM contracts for arbitrary-call injection) matches its instructions, but the SKILL.md directs the agent to clone and run third‑party code, run npm installs, and send alerts to external messaging channels while the metadata declares no required binaries, installs, or credentials — an incoherent and potentially risky combination.
Guidance: This skill looks like a legitimate EVM-scanning tool, but the SKILL.md asks you to clone and run third‑party Node code and to notify external messaging channels while the registry metadata declares no installs, binaries, or credentials. Before installing or running it: (1) review the GitHub repository and package.json for malicious postinstall scripts or unexpected network calls; (2) run the code in an isolated environment (VM/container) and inspect index.js and any modules that send network requests; (3) do not provide messaging API tokens or other secrets until you verify how alerts are delivered; (4) prefer running scans manually or under your own monitored service rather than allowing silent background/auto-update behavior; (5) ask the publisher to update registry metadata to list required binaries (git, node, npm), required env vars, and an install spec or provide a vetted package/release. If you cannot audit the repository, treat this skill as high-risk and avoid granting it persistent or credentialed access.

Review Dimensions

Purpose & Capability: concernThe description (scan/monitor EVM contracts) is consistent with the runtime instructions. However, the skill metadata declares no required binaries or install steps while the SKILL.md explicitly requires git, node, and npm and a GitHub repository. The missing declaration of those runtime requirements is an incoherence.
Instruction Scope: concernThe instructions tell the agent to git clone a repository, npm install, run node index.js as a background monitor, read and write ./results/, periodically check results, and notify users via messaging channels. Those steps involve network downloads, code execution, filesystem writes, and external notifications — all beyond what the metadata describes and granting substantial runtime discretion.
Install Mechanism: concernAlthough the registry lists no install spec, SKILL.md instructs cloning https://github.com/BringYourOwnBot/arb-injection.git and running npm install. That directs the agent to fetch and execute third‑party code (extract/run), which is higher risk and should have been declared or curated. The lack of an explicit install manifest in the registry but an explicit install flow in SKILL.md is inconsistent.
Credentials: concernThe metadata declares no required env vars or credentials, but SKILL.md references an optional ANTHROPIC_API_KEY and suggests notifying users over channels (Telegram/WhatsApp/Signal/Discord) without specifying required tokens. This mismatch leaves unclear what secrets the skill needs and how they will be used — and the instructions ask the agent to access and possibly transmit findings externally.
Persistence & Privilege: concernThe skill metadata does not set always:true or other persistence flags, yet the instructions assume continuous background monitoring, cron/heartbeat checks, and a daily auto-update git pull/npm install. That indicates intended persistent behavior not reflected in the registry privileges, increasing risk if the agent were to autonomously implement persistence.