Skillv1.0.0

ClawScan security

NEAR Protocol CLI installation and setup guide. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 15, 2026, 7:04 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is a documentation-only installation and usage guide for the NEAR CLI and its instructions, requirements, and external endpoints are consistent with that purpose.
Guidance: This skill is documentation-only and appears coherent for installing and using near-cli-rs. Before running any installer commands (especially curl ... | sh): verify you trust the GitHub release source, prefer downloading the installer and inspecting it instead of piping it directly to sh, check checksums/signatures if available, and run installers in a low-privilege or sandboxed environment when possible. Be careful when using the CLI commands that import or export accounts — those operations involve private keys/seed phrases; never paste seeds into untrusted tooling. If you need higher assurance, install via your OS package manager or cargo/npm when available, or manually review the installer script on the linked GitHub release page.

Review Dimensions

Purpose & Capability: okThe name, description, README, and SKILL.md consistently describe installing, configuring, verifying, and using the near-cli-rs tool. The requested artifacts (none) and included files are documentation only and align with the stated purpose.
Instruction Scope: noteSKILL.md stays on topic (installation, PATH, verification, common near commands). It does instruct interactive actions that may involve private keys (import/export accounts) but does not request or attempt to harvest credentials itself. Agents following these instructions could cause the user to enter seed phrases or operate on private keys—the skill does not provide guidance to protect sensitive material.
Install Mechanism: noteThe skill is instruction-only (no install spec). The recommended installer uses GitHub Releases (https://github.com/near/near-cli-rs) which is an expected source. However, the instructions include piping a remote installer script to sh (curl | sh), which executes remote code and is inherently higher risk; this is common for CLI installers but users/agents should prefer downloading and reviewing the script or using package managers when possible.
Credentials: okThe skill declares no required environment variables or credentials. It mentions config file locations (e.g., ~/.config/near-cli/config.toml) and commands that will interact with account keys; that is proportional to a CLI usage guide. No unrelated credentials or config paths are requested.
Persistence & Privilege: okalways is false, the skill is user-invocable, and there is no installation or persistent agent modification. The skill does not request persistent presence or special privileges.