Skillv0.1.2

ClawScan security

Verigent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 3, 2026, 10:41 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality (reputation + provenance checks) is plausible, but there are notable inconsistencies and a few runtime instructions that expand its scope (dynamic npm invocation, payment headers) that warrant caution before installing.
Guidance: This skill appears to do what it says (reputation + provenance checks), but there are red flags to consider before installing or invoking it autonomously: 1) Clarify the environment variables — SKILL.md requires X_AGENT_ID and wallet addresses, but the registry metadata claims none; don't supply private keys or unrelated secrets (DB passwords, tokens). 2) The documentation suggests using `npx -y @verigent/mcp-server` — dynamic npm installs execute remote code; only run that after auditing the package (publisher, versions, source, hashes). 3) Understand reporting behavior: the skill can POST transaction reports and may ask for payment proofs in headers — know what data will be sent to https://verigent.link and avoid including sensitive context unless necessary. 4) Verify the homepage/privacy policy and confirm the service operator and package ownership (npm/place where @verigent/mcp-server is published). 5) If you need higher assurance, ask the publisher to: (a) update registry metadata to list the declared env vars, (b) provide a pinned install spec (exact package and checksum), and (c) publish the MCP server source for review. If you cannot validate those, treat the skill as untrusted and avoid running any dynamic installs or providing secrets.

Review Dimensions

Purpose & Capability: noteThe name/description (reputation + provenance) match the API endpoints and decision rules in SKILL.md. Requesting an AgentID and on-chain wallet addresses is coherent for identity and optional payment proofs. However, the registry metadata above lists no required environment variables while SKILL.md declares X_AGENT_ID, X402_WALLET_ADDRESS, and SOLANA_WALLET_ADDRESS — that mismatch is an inconsistency that should be clarified. README also documents many server-side secrets (Redis, Neo4j) which are backend requirements, not agent-side, but their presence increases surface-area complexity.
Instruction Scope: concernThe runtime instructions are primarily HTTP calls to https://verigent.link and decision logic for handling results (in-scope). But the SKILL.md / README recommend running an MCP integration via `npx -y @verigent/mcp-server`, which would dynamically fetch and execute a remote npm package at runtime — this expands the attack surface beyond simple API queries and allows remote code execution on the agent host. The instructions also prescribe automatic reporting (POST /report) after transactions, which is in-scope but could transmit interaction metadata to an external service; the skill asks agents to include payment proofs in headers when charging the free-tier is exceeded.
Install Mechanism: concernThere is no formal install spec (instruction-only), which is low risk by itself. However, the README/SKILL.md recommend using npx to run an MCP server package (@verigent/mcp-server). npx will fetch and execute code from the npm registry on demand; because there is no pinned install spec, that is a potential runtime execution risk and should be treated as an installation step that requires review (verify package ownership, published files, and integrity).
Credentials: concernSKILL.md declares X_AGENT_ID and two wallet address env vars which are reasonable for identity/payment headers — these are proportionate for a reputation/payment-aware API. But the registry metadata provided with the skill reported 'Required env vars: none', creating an incoherence. The README also documents many backend secrets (UPSTASH_REDIS_REST_TOKEN, NEO4J_PASSWORD, etc.) that are not needed for an agent client but may confuse users into over-sharing secrets. Ensure only the minimal AgentID/wallet address (public addresses) are provided — never provide private keys or DB credentials to the agent.
Persistence & Privilege: okThe skill does not request always:true and is user-invocable; it does not declare any required config path or attempt to modify other skills. There is no built-in persistent presence or forced inclusion. The main persistent risk is the optional npx MCP server recommendation that could run a long-lived process if an operator chooses to install it.