Skillv1.0.0

ClawScan security

BYOCB ArbInjectionSkill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:02 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (scanning EVM contracts) matches its instructions, but the runtime instructions ask you to fetch and execute code from a GitHub repo, run a persistent background monitor, and send alerts via messaging channels while failing to declare the external credentials and RPC endpoints it will need — these gaps are suspicious and merit caution and review before installing.
Guidance: This skill’s goal (EVM arbitrary-call scanning) is plausible, but the instructions ask you to clone and run a third‑party GitHub repo as a persistent background service and to send alerts through messaging channels — yet it doesn't declare the RPC endpoints or messaging credentials it needs. Before installing: (1) review the referenced GitHub repo source code yourself (or have a trusted auditor do so); (2) run it in an isolated environment/container with least privilege; (3) supply only read-only RPC endpoints or limited-permission keys; (4) avoid providing messaging credentials unless you trust the code and consider using a separate alerting account with minimal permissions; (5) confirm maintainers, repository history, and issue activity; and (6) prefer a packaged skill that declares required env vars and provenance rather than following ad-hoc install steps. If you cannot review the code or verify the repo/maintainers, treat this as high-risk and do not run it on sensitive systems.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (arbitrary call injection scanning and monitoring) aligns with the included runtime instructions (scan bytecode, monitor new deployments, save results). However, required operational pieces that are necessary for that capability — blockchain RPC endpoints, messaging channel credentials, and possibly LLM API keys — are not listed in the skill's declared requirements. That omission is inconsistent with the stated continuous-monitoring purpose.
Instruction Scope: concernSKILL.md instructs the agent/operator to clone a GitHub repository, run npm install, and execute node index.js as a background monitor; read/write local files under ./results; periodically inspect results and send alerts via external messaging channels; and schedule daily git pulls. These instructions involve fetching and executing external code, file I/O, persistent background execution, and sending data to external channels — all without specifying what exact credentials or endpoints will be used or how sensitive data is handled. The broad, operationally open-ended instructions increase the risk of unintended behavior or data exfiltration.
Install Mechanism: concernAlthough the skill package itself contains no install spec, the SKILL.md explicitly tells operators to git clone https://github.com/BringYourOwnBot/arb-injection.git and run npm install / node. That directs the environment to fetch and execute third-party code at runtime. While the host is GitHub (a common release host), cloning and running arbitrary repo code is higher risk than an instruction-only skill that does not prompt external installs.
Credentials: concernThe document mentions optional environment variables (ANTHROPIC_API_KEY, BYBOB_OUTPUT) but the skill declares no required env vars or primary credential. In practice the monitor and scans will need RPC endpoints (and likely RPC keys, rate-limit credentials), and alerting requires messaging service tokens or bot credentials — none are declared. This mismatch means the skill's declared environment access is insufficiently specific and could lead operators to supply sensitive credentials without clear justification.
Persistence & Privilege: noteThe skill does not set always:true, but it strongly instructs operators to run a background process and schedule daily updates (git pull + npm install). That encourages persistent presence on the host and ongoing network activity. While not a platform-level privilege escalation, running persistent third-party code increases the blast radius and should be considered when evaluating trust.