GhostScore
Security checks across static analysis, malware telemetry, and agentic risk
Overview
GhostScore appears to be a read-only reputation lookup and verification skill, but users should notice that it uses an external API key and network endpoints that are not reflected in the registry requirements.
This skill appears safe to use for read-only GhostScore reputation checks if you trust the GhostScore service. Before installing, confirm the linked project is the one you intend to use, supply only the MONAD_RPC_URL and GhostScore API key described in SKILL.md, and never provide wallet private keys or seed phrases.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and configured, the agent may use the GhostScore API key to make authenticated GhostScore backend requests.
The skill requires a service API key and authorizes backend requests with it. This is expected for the GhostScore integration, but it is still delegated account/API access that users should scope and protect.
GHOSTSCORE_API_KEY — API key for the GhostScore backend. Passed as `Authorization: Bearer <key>` header.
Use a scoped, revocable GhostScore API key if available, avoid sharing wallet secrets, and rotate the key if you suspect unintended use.
Reputation or attestation-related requests may be sent to the listed external services during use.
The skill discloses external network access to the GhostScore API and Monad RPC. This is purpose-aligned for reputation queries and attestation verification, but users should know external calls are part of normal operation.
permissions: - network: "https://ghostscore-api.onrender.com/*" - network: "https://monad-rpc.com/*"
Confirm you trust the GhostScore backend and Monad RPC endpoint before using the skill, especially when using an API key.
The installation or registry view may understate setup requirements, so users could miss that an API key and RPC URL are needed.
The registry metadata does not declare credentials or environment variables, while SKILL.md says MONAD_RPC_URL and GHOSTSCORE_API_KEY are required. This looks like an under-declared metadata issue rather than hidden behavior because the SKILL.md itself discloses the requirements.
Required env vars: none; Env var declarations: none; Primary credential: none
The publisher should align registry metadata with SKILL.md by declaring the required environment variables and credential use.
Users may have less assurance that the registry package corresponds exactly to the referenced GitHub project/version.
The registry metadata lists the source as unknown and version 1.0.3, while SKILL.md claims a GitHub source and frontmatter version 1.1.0. This provenance/version mismatch is not malicious by itself, but it is worth verifying before installation.
Source: unknown ... Version: 1.0.3
Check the linked GitHub project and prefer a registry entry whose source and version metadata match the packaged SKILL.md.