Env credential access
Critical
- Finding
- Environment variable access combined with network send.
Raven Transfer
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a disclosed Raven payout tool, but it can move real money with a Raven API key and its approval boundaries need careful review.
Install only if you intend to let an agent assist with Raven NGN payouts. Use a dedicated locked-down Raven API key, disable implicit/autonomous invocation, require a separate human approval before any confirmed transfer, and ensure the local `.state` directory is not synced or shared.
Static analysis
Exposed secret literal
Critical
- Finding
- File appears to expose a hardcoded API secret or token.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
An agent with the Raven API key and transfer details could preview a payout and then submit it without a distinct human approval step.
Why it was flagged
The tool can submit a real payout after a confirmation token that the tool itself returns; the artifacts do not clearly require the human user to approve or supply that token out-of-band.
Skill content
First call without `--confirm` returns `status=requires_confirmation` and `confirmation_token`. Re-run same payload with `--confirm` token to submit transfer.
Recommendation
Require explicit user approval at the platform level before any `--confirm` transfer command, and treat the preview token as an accident-prevention check rather than authorization.
What this means
The agent may be able to choose this transfer capability without the user deliberately invoking it, increasing the risk of accidental money movement.
Why it was flagged
For a skill whose stated function includes executing Raven payout transfers, autonomous model invocation weakens the approval boundary; this is also inconsistent with the skill documentation saying implicit invocation should be disabled.
Skill content
disable-model-invocation: false (default — agent can invoke autonomously, this is normal)
Recommendation
Set the registry/runtime configuration to explicit invocation only and require a separate user confirmation for transfer submission.
What this means
Anyone or any agent process with access to this credential may be able to perform Raven account operations allowed by that key.
Why it was flagged
The skill requires a Raven credential that can authorize wallet checks and payouts; this is expected for the stated integration but grants sensitive delegated account authority.
Skill content
One auth source must be available in the runtime environment: `RAVEN_API_KEY_FILE` ... `RAVEN_API_KEY`
Recommendation
Use a dedicated, least-privilege Raven key if available, store it in a locked file or secret manager, and avoid exposing it to unrelated skills or processes.
What this means
Local state could expose transfer references or amounts if the skill folder is synced, backed up, or shared.
Why it was flagged
The skill stores persistent transfer metadata that affects duplicate-transfer checks and may reveal financial activity, but the artifacts disclose minimization and a disable option.
Skill content
Persist only minimal idempotency fields in `scripts/.state/transfer-state.json` ... Never persist account name, account number, or raw provider payloads.
Recommendation
Keep `scripts/.state/` out of backups and repositories, or set `RAVEN_DISABLE_LOCAL_STATE=1` if local idempotency state is not acceptable.
What this means
Users have less publisher/provenance context for code that can initiate financial transfers.
Why it was flagged
The skill includes executable scripts for a financial workflow, but registry provenance and install metadata are sparse; no remote installer or hidden dependency is shown.
Skill content
Source: unknown; Homepage: none; Install specifications: No install spec — this is an instruction-only skill. Code file presence: 4 code file(s)
Recommendation
Review the bundled code and publisher trust before installation, and prefer installing from a verified source or repository.