Skillv1.0.0

ClawScan security

Duola Quant Copy Engine · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 5, 2026, 3:15 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The instructions ask the operator to provide billing API keys and user private keys and to call external billing endpoints, but the skill metadata declares no required credentials or provenance — this mismatch is concerning and deserves clarification before use.
Guidance: Do not run this skill or export secrets for it until you verify its source and credential requirements. Ask the publisher for a source repository or package name and confirm the SkillPay domain and ownership. Before running: 1) Inspect the 'duola' npm package on the registry (or prefer a pinned git release). 2) Never paste private keys into an unverified agent — prefer hardware or ephemeral signing. 3) Demand that required env vars (SkillPay API key, skill id) be declared in metadata and justification for why SkillPay is needed. 4) If you must test, do so in an isolated environment with fake keys and a read-only account. If the publisher cannot provide a clear source and rationale for the billing integration and secret handling, treat the skill as untrusted.

Review Dimensions

Purpose & Capability: concernThe SKILL.md clearly implements a production operator for the 'duola' CLI and a third‑party billing gate (SkillPay). That purpose explains use of duola and billing calls, but the registry metadata lists no required environment variables or primary credential. The presence of SkillPay-specific env vars (SKILLPAY_API_URL, SKILLPAY_API_KEY, SKILLPAY_SKILL_ID) in the runtime instructions is inconsistent with the declared 'Required env vars: none'.
Instruction Scope: concernRuntime instructions direct the agent/operator to: export billing API keys, run billing commands, install and invoke the duola CLI, and feed a private key via stdin into 'duola autopilot onboard'. Asking for private keys and external billing operations is within a trading operator's scope, but these instructions also create an exfiltration risk (private key or billing key could be provided to external services). The SKILL.md gives broad discretion to run CLI installs and billing commands without any metadata that documents those external endpoints or who controls them.
Install Mechanism: noteThis is an instruction-only skill (no install spec). It tells operators to install duola via 'npm install -g duola' or local npm build. Using npm is expected for a CLI, but the skill provides no source URL or repository for either the duola package or the skill itself. Verify the duola package provenance on the npm registry before running global installs.
Credentials: concernThe instructions require several sensitive values (SKILLPAY_API_KEY, SKILLPAY_API_URL, SKILLPAY_SKILL_ID and user private keys) but the skill metadata declares none. There is no 'primary credential' or declared env list to explain where secrets should come from or how they will be protected. Requesting private keys for live trading is plausible, but the lack of metadata, source, or storage/rotation guidance is disproportionate and risky.
Persistence & Privilege: okThe skill is 'always: false', user-invocable, and instruction-only with no install artifacts. It does not request persistent platform privileges or modify other skills. Autonomous invocation is allowed by default but not combined with other privilege escalations here.