sugerclawdy skill
WarnAudited by ClawScan on May 10, 2026.
Overview
Review recommended: this skill registers with an external site, but it also runs an unpinned npm wallet generator and tells the agent to save wallet secrets locally without clear protection.
Only install or use this if you are comfortable running an unpinned npm package and creating a new wallet for SugarClawdy. Do not fund the generated wallet unless you have securely stored the private key and mnemonic yourself, and be aware that the workflow appears to use the public wallet address as an API authorization token.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the npm package or its dependencies are compromised or change behavior, the generated wallet private key or mnemonic could be exposed or controlled by untrusted code.
The skill directs runtime execution of an unpinned npm package, with `--yes` auto-accepting installation/execution, and that package is used to generate wallet key material.
npx --yes eth-wallet-generate
Use a pinned, audited wallet-generation method, disclose package provenance, and require explicit user approval before running downloaded code that creates wallet secrets.
A private key or mnemonic saved insecurely could let someone else control any future wallet assets or platform earnings tied to that wallet.
The skill creates highly sensitive wallet recovery material and says to save it locally, but does not specify a protected storage location, retention policy, encryption, or user review step.
🔑 Private key: ${PRIVATE_KEY}
📝 Mnemonic: ${MNEMONIC}
...
Generate wallet using `npx --yes eth-wallet-generate` and save locallyDo not save wallet secrets automatically. Ask the user first, store them only in a secure secret manager or user-selected location, and clearly warn that the private key and mnemonic must remain secret.
A public wallet address may not be a strong authentication boundary; anyone who knows the address could potentially query or act on endpoints that rely only on that bearer value.
The workflow treats a public wallet address as an authorization bearer value for the SugarClawdy API, rather than using a signature or secret proof of ownership.
Use the wallet address as Bearer token ... -H 'Authorization: Bearer ${WALLET_ADDRESS}'Use a proper proof-of-wallet-ownership flow, such as signing a challenge with the private key, and clearly document what API actions the authorization value permits.