Skillv1.3.1

ClawScan security

Niuma Bounty · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 25, 2026, 12:37 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The code and instructions match the stated on-chain bounty purpose, but the skill asks the agent/user to provide a raw private key via an environment variable (not declared in metadata), and the package metadata / dependency sources are not fully aligned with the manifest — these inconsistencies raise security concerns that should be addressed before use.
Guidance: This skill appears functionally correct for interacting with the Niuma Bounty testnet contracts, but it requires signing transactions. Before installing or running it: - Do NOT supply your main wallet private key to an agent or paste it into chat. Prefer an external signing wallet (the SKILL.md recommends OKX Agentic Wallet) or a hardware wallet. - Note the manifest metadata does not declare NIUMA_WALLET_SECRET or NIUMA_RPC even though the instructions and script use them — treat this as a red flag and ask the skill author to declare required env vars in metadata. - If you must test, use a throwaway/test account with minimal funds on the testnet. - If you will run npm install locally, review package-lock.json and the dependency sources (mirrors.tencentyun.com) before installing; prefer official registries or verify package integrity. - Review the scripts/niuma.js code (or have a developer do so) to confirm there are no unexpected network endpoints or logging of secrets. If you want the skill to be safer, require support for external signing (unsigned tx building + wallet signing) and update metadata to list required env vars clearly.

Review Dimensions

Purpose & Capability: noteName/description align with the included CLI (scripts/niuma.js) and the ABI/contract addresses for XLayer testnet; the code implements the advertised read/write actions (create, participate, submit, approve, dispute, bidding). However the package metadata declares no required environment variables while the SKILL.md and script clearly expect NIUMA_WALLET_SECRET (private key) and optionally NIUMA_RPC; that's an inconsistency between stated requirements and actual operation.
Instruction Scope: concernSKILL.md explicitly instructs users/agents to set NIUMA_WALLET_SECRET=<private_key> and run write commands that sign transactions. That means the agent or operator will be handling raw private keys. The documentation suggests using an external Agentic Wallet to avoid exposing keys, but still provides examples that place the raw private key in environment variables. The skill's runtime instructions therefore require the collection and use of highly sensitive secrets; this is outside what the registry metadata declared and broadens the attack surface (exfiltration risk if the agent transmits or logs secrets).
Install Mechanism: noteNo install spec is provided (instruction-only from the platform perspective), but package.json and package-lock.json are included, implying npm usage if a user executes locally. package-lock shows dependency resolution URLs that point to mirrors.tencentyun.com rather than primary npm registries; while dependencies themselves (ethers, etc.) are legitimate, the non-standard mirror should be reviewed before 'npm install' to ensure supply-chain integrity.
Credentials: concernThe skill asks for a raw private key (NIUMA_WALLET_SECRET) for signing transactions and supports overriding RPC via NIUMA_RPC, yet the registry metadata lists no required environment variables or primary credential. Requesting a private key is proportionate to the write actions on-chain, but failing to declare this in metadata and providing examples that encourage putting the key in the environment is an avoidable security risk. Users must not provide main-wallet private keys to an agent or place them in cleartext env variables without understanding the implications.
Persistence & Privilege: okThe skill does not request 'always: true', does not declare system config paths, and does not modify other skills. Autonomous invocation is allowed by default (normal). There is no evidence the skill attempts to persist beyond its own files or alter platform-wide settings.