Skillv1.0.69

ClawScan security

Vincent - Trading Engine · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 8:35 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's stated architecture (LLM keys and private keys stay server-side) conflicts with runtime requirements that let the agent read local wallet files and run npx to fetch/execute a remote CLI — these mismatches and the implicit remote-code execution risk warrant caution.
Guidance: This skill has inconsistencies you should resolve before installing. Specifically: (1) Ask the author to explain why local agentwallet files are required if all private keys and LLM keys are said to remain on Vincent's servers — what exactly is stored in those paths? (2) Treat the allowed use of npx:@vincentai/cli* as equivalent to installing and executing remote code — review the @vincentai/cli package source, versions, and npm publisher, and prefer pinned versions or a vetted install mechanism. (3) Confirm what files the skill will read/write and whether it will transmit wallet contents or other local data to external services. (4) If you must use it, run the agent in a restricted sandbox, limit its filesystem access to only the minimal required path, and monitor network calls. If the maintainer cannot justify the local wallet requirement and the runtime npx behavior, avoid enabling the skill.

Review Dimensions

Purpose & Capability: concernThe skill claims to route trades through the Vincent backend and that private keys/LLM keys never leave the server, yet the declared required config paths explicitly point to local agent wallet files (${OPENCLAW_STATE_DIR:-$HOME/.openclaw}/credentials/agentwallet and ./agentwallet). It's unclear why a trading engine that uses a backend service would need local wallet files; this is an unexplained privilege request.
Instruction Scope: concernSKILL.md allows the agent to run Bash via npx:@vincentai/cli* and also grants Read/Write tools. Running npx will download and execute a package from npm at runtime — effectively executing remote code. The instructions also reference ingesting wide-ranging external data (web, Twitter, RSS, on-chain) and using local agentwallet config; the combination broadens what the agent may read, act on, or transmit beyond the stated minimal purpose.
Install Mechanism: concernThere is no explicit install spec, but allowed-tools include npx:@vincentai/cli*. npx implicitly fetches code from the npm registry and runs it locally. That is equivalent to an install-from-remote and carries the higher risks called out in the guidance (remote package execution).
Credentials: concernNo environment variables are required, but two required config paths point to an 'agentwallet' file. If that file contains private keys or wallet credentials, the skill would have access to sensitive secrets not justified by the description (which said private keys remain on Vincent servers). The mismatch between 'no private keys' claim and required local wallet paths is disproportionate and unexplained.
Persistence & Privilege: notealways:false (good). However, the skill requests access to local credential paths and can run remote-installed CLI tools, which is a meaningful runtime privilege even without permanent installation. The skill does not request system-wide persistence, but reading/writing an agent wallet is a high-sensitivity action.