Back to skill
Skillv1.0.2
ClawScan security
Ceo Protocol Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 15, 2026, 10:05 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's files and runtime instructions match its DeFi purpose, but it fails to declare and document sensitive environment requirements (private key, RPC URL) and contains small inconsistencies in examples—these mismatches are proportionate to misuse or sloppy packaging and should be resolved before trusting the skill with credentials or funds.
- Guidance
- This skill appears to be what it says (tools to build and submit CEOVault proposals), but it omits critical runtime requirements from its registry metadata. Before installing: (1) do not set AGENT_PRIVATE_KEY in any environment where untrusted code could access it; create a dedicated wallet with only the funds you are willing to risk for testing; (2) ensure MONAD_RPC_URL is provided from a trusted RPC; (3) review the scripts (already included) yourself to confirm addresses and whitelisted targets match official CEOVault contracts; (4) run first in dry-run/simulation mode and use the --dry-run option where available; (5) ask the publisher to update metadata to declare required env vars (AGENT_PRIVATE_KEY, MONAD_RPC_URL) and clarify the external helper referenced in examples. If you cannot verify or are uncomfortable exposing a signing key, do not enable this skill with real funds or private keys.
Review Dimensions
- Purpose & Capability
- noteName/description (interact with CEOVault on Monad) align with included scripts and ABIs: the code builds proposals, signs and submits registerProposal transactions, and reads on-chain data. The companion-skill requirement (ERC-8004 identity, Pond3r) is consistent with described workflow.
- Instruction Scope
- noteSKILL.md and scripts restrict behavior to on-chain interactions and proposal building/submission. They instruct installing companion skills and running 'cd scripts && npm install' then using build/submit scripts. Minor inconsistencies: example CLI shows an external path (/opt/viem-signer-skill-scripts/dist/read-contract.js) that is not part of this skill, and SKILL.md truncates some sections; otherwise instructions stay within the described DeFi scope.
- Install Mechanism
- noteNo formal install spec (instruction-only), but runtime requires running npm install in the scripts folder which will fetch viem and dependencies from the public npm registry. This is a moderate-risk action (remote packages executed locally) but not unusual for a JS-based on-chain tooling skill; no arbitrary download URLs or archive extracts are used.
- Credentials
- concernThe code requires highly sensitive env vars at runtime (AGENT_PRIVATE_KEY for signing transactions and MONAD_RPC_URL for RPC) but the registry metadata lists no required environment variables. AGENT_PRIVATE_KEY gives direct signing power and should be explicitly declared and treated as high-risk. The requested/env-used credentials are functionally necessary for the skill but the omission from metadata is an incoherence and operational risk.
- Persistence & Privilege
- okSkill is not always: true, doesn't request persistent system-wide privileges, and doesn't modify other skills. Note: if the agent environment provides AGENT_PRIVATE_KEY and the agent is allowed autonomous invocation, the skill could sign and broadcast transactions autonomously — expected for its purpose but a higher blast radius when combined with the missing declaration of credentials.