Back to skill
Skillv1.0.0
ClawScan security
Alura · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 19, 2026, 7:02 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only integration for a testnet trading API and its declared behavior matches the actions described in SKILL.md, but the package origin is unverified (no homepage/source) so exercise caution before trusting credentials or performing on mainnet.
- Guidance
- This is an instruction-only testnet API integration and appears coherent, but the package origin is unverified (no homepage/source). Before installing or using: 1) Verify you trust the alura.testnet domain and the project (look for an official repo or docs). 2) Never paste or upload private keys; signing must be performed locally (MetaMask or other wallet) — the skill expects you to sign messages and return the signature to /auth/evm/verify. 3) Treat any accessToken/JWT as sensitive; do not share it outside intended requests. 4) Be cautious when using withdraw/send-USDC endpoints — confirm you are on testnet and not mainnet to avoid real fund transfers. 5) If you need higher assurance, ask the publisher for a homepage or source repo and double-check the API responses and rate limits mentioned in SKILL.md.
Review Dimensions
- Purpose & Capability
- okThe name/description (Alura Trading testnet integration) matches the SKILL.md content: documented endpoints, EVM-wallet challenge/verify flow, trading session and market-data endpoints. The skill does not request unrelated credentials or binaries.
- Instruction Scope
- okInstructions are narrowly scoped to HTTP calls against the provided base URL and standard auth flow (personal_sign -> /auth/evm/verify -> Bearer token). The SKILL.md does not instruct the agent to read arbitrary files, env vars, or system state, nor to exfiltrate data to unexpected endpoints.
- Install Mechanism
- okThere is no install spec and no code files; this is instruction-only, so nothing is written to disk or executed by the platform as part of install.
- Credentials
- okThe skill declares no required environment variables or credentials. The API uses ephemeral JWT Bearer tokens obtained at runtime via wallet signature, which is appropriate for the documented endpoints. No unrelated secrets are requested.
- Persistence & Privilege
- okSkill is not forced-always, and does not request persistent privileges. Autonomous invocation is permitted (platform default) but not unusual here and not combined with other risky requests.