Skillv0.1.1

ClawScan security

Agentic Lending EVK · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 9:43 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement the described EVK lending workflow and includes a live-proof script, but there's a minor coherence issue (the registry marks a private key env var as required even though the instructions say preview/dry-run modes do not need a private key) and it can perform live on-chain actions so you should review configs and protect any private key before enabling live runs.
Guidance: This skill looks like what it claims: a workflow + a bundled Node script that can dry-run or send real Ethereum (Arbitrum) transactions. Important things to consider before installing or running it: - Protect your private key: only set ARBITRUM_PRIVATE_KEY (or whatever privateKeyEnv you use) in the environment if you intend to perform live sends. The skill's docs say preview/dry-run is supported without a key — avoid putting production keys in persistent shells/CI unless necessary. - Review and keep configs off Git: borrow-proof-config.json and any request.* JSONs may reference real accounts, RPC URLs, and privateKeyEnv names. Keep any secret-bearing config out of source control. - Use preview/dry-run first: the skill explicitly prefers planning and dry-run. Run the script with --config <path> (no --live) to see the exact transactions it would submit. - Confirm the exact broadcast rules: SKILL.md requires explicit broadcast flags and an acknowledgement token before real sends; ensure the agent actually enforces those before allowing a live run. - Browser automation: the workflow can automate browser-assisted funding flows if you allow it — that grants automation broad control of web UIs; be cautious about enabling that on behalf of your account. - Consider using a limited ephemeral account for live proofs: fund a throwaway/test wallet with just enough to run the tiny borrow canary, rather than exposing a high-value key. The main coherence issue is that the registry metadata forces ARBITRUM_PRIVATE_KEY as a required env var even though the documented default behavior supports preview without a key; this is more restrictive than necessary but not itself malicious. If you need stronger assurance, inspect the full evk_live_borrow_proof.js file and the planner binaries referenced by the skill before enabling live runs.

Review Dimensions

Purpose & Capability: noteName, description, included docs, and the evk_live_borrow_proof.js script all align: this repo-level skill is genuinely for planning, funding (including browser-assisted flows), deploying EVK markets, and running a post-deploy borrow canary. The declared required config files match the CLI usage examples. One mismatch: the registry metadata marks ARBITRUM_PRIVATE_KEY as a required env var (primaryEnv), but the SKILL.md explicitly recommends defaulting to planning/preview and states live signer-backed execution should only be used when the user explicitly asks for it. The private key is necessary for live sends but not for dry-run/preview, so listing it as a hard requirement is stricter than the documented operational model.
Instruction Scope: okThe SKILL.md instructions are detailed and scoped to the EVK-first workflow. They instruct the agent to prefer plan/dry-run modes, only use live sends when requested and when guarded acknowledgement and signer info are present, and to use browser automation only for browser-assisted funding when the user wants full automation. The instructions reference only the declared config files and the bundled script; there are no directives to read unrelated system files or exfiltrate data.
Install Mechanism: okThis is an instruction-only skill with included JS files and no install spec. That keeps risk lower than arbitrary downloads. The code executes under the user's node runtime; there are no external install URLs or package downloads declared in the skill metadata.
Credentials: concernThe skill declares a single primary credential ARBITRUM_PRIVATE_KEY which is appropriate for live transaction signing. However, the SKILL.md and scripts support preview mode without a private key (they read privateKeyEnv from the config and only require it for --live). Marking ARBITRUM_PRIVATE_KEY as a required env var for the skill's installation or invocation is inconsistent with the documented preview-first workflow and is more permissive than necessary for planning/dry-run operations. Users should not set long-lived production keys in the environment unless they intend to perform live transactions.
Persistence & Privilege: okalways:false and normal agent-invocation settings are used. The skill does not request persistent/always-on inclusion and does not modify other skills or system settings. The primary privilege is the ability to sign/send on-chain transactions when a private key is supplied — this is expected for its purpose but is a high-impact capability that requires user caution.