Skillv1.0.24

ClawScan security

Optionns · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 20, 2026, 5:49 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests, files, and runtime instructions are internally consistent with an autonomous Solana-devnet sports micro-betting tool — but it requires storing signing keys and talking to an unverified remote API, so proceed cautiously and only with throwaway/devnet keys in an isolated environment.
Guidance: This skill appears coherent for autonomous devnet betting, but take these precautions before installing or running it: - Use throwaway/devnet-only keypairs; never point SOLANA_RPC_URL or keys to mainnet or reuse real wallets. - Review the included scripts (especially scripts/signer.py and scripts/optionns.sh) yourself — they perform local signing and will write private key material to ~/.config/optionns/ by default. - Verify the remote API hostname (https://api.optionns.com) independently (DNS, repo, website, or vendor identity). The skill will transmit your wallet address and receive API keys from that endpoint during registration. - Run the skill in an isolated environment (container/VM with restricted permissions and network egress) if you plan to allow autonomous invocation. - Consider pinning and reviewing the pip dependencies (solders, httpx) before pip installing; prefer a virtualenv and inspect packages where practical. - If you need stronger assurance, request a verified source/repository or reproducible build; absence of a trusted upstream (homepage/source unknown) lowers confidence. If you are uncomfortable verifying the remote endpoint or code, do not provide real credentials and avoid enabling autonomous runs that can register or transact on your behalf.

Review Dimensions

Purpose & Capability: okName/description (autonomous micro-betting on Solana devnet) match the code and instructions. The skill legitimately needs API access, wallet key material, and the solders/httpx Python libs for signing and HTTP calls; no unrelated credentials or system services are requested.
Instruction Scope: noteSKILL.md and the CLI/scripts instruct the agent to register, call the Optionns API, request faucet funds, create/store a local keypair at ~/.config/optionns/, and sign/submit transactions locally. These steps are expected for the stated purpose but grant the skill permission to generate and persist a keypair and an API credential and to communicate with the remote API — the README explicitly warns to use devnet-only throwaway keys.
Install Mechanism: okNo packaged install from third-party URLs; code is included in the skill bundle and Python dependencies are installed via pip from PyPI (requirements.txt lists solders and httpx). Pip installs are typical here but carry the usual supply-chain risk of PyPI packages.
Credentials: noteNo required environment variables; optional vars (OPTIONNS_API_KEY, OPTIONNS_API_URL, SOLANA_RPC_URL, SOLANA_PRIVATE_KEY, SOLANA_PUBKEY/ATA) are proportional to a trading/signing client. The skill persists an API key and keypair locally and will send wallet_address to the remote API on register — behavior needed for operation but worth attention because it transmits identifying/auth data to an unverified endpoint.
Persistence & Privilege: noteThe skill writes config and keypair files under ~/.config/optionns/ (600 perms) and logs positions locally. It does not demand 'always:true' or elevated system privileges; self-registration and autonomous operation are part of the product design but increase blast radius if the remote API or code is malicious.