Skillv0.5.7

ClawScan security

Goodwallet Alpha · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 16, 2026, 11:43 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's claims, required binaries, install method, and runtime instructions are internally consistent for a CLI crypto wallet, but it relies on an npm package and remote co-signer services that you should verify before use.
Guidance: This skill appears coherent for controlling a CLI crypto wallet, but take precautions before installing or using it: 1) Verify the npm package 'goodwallet' publisher, version, and source (compare with the GitHub repo and official homepage) to avoid a malicious package. 2) Consider installing in an isolated environment (container or dedicated machine) until you trust it. 3) Review the contents of ~/.config/goodwallet/ after auth and understand that an MPC co-signer (sign.goodwallet.dev) participates in signing — verify you trust that operator and the agent.goodwallet.dev policy enforcement. 4) Never paste or share seed phrases/private keys; use the provided browser-oauth flow. 5) Confirm every state-changing action before executing, and prefer small test transactions when first using the wallet. If you need higher assurance, ask the publisher for package checksums/signing or inspect the npm package source before installing.

Review Dimensions

Purpose & Capability: okName/description describe a CLI crypto wallet. The skill only requires the node runtime and installs an npm 'goodwallet' CLI binary — which is proportional and expected for a CLI wallet. Declared external services (sign.goodwallet.dev, agent.goodwallet.dev) align with the MPC-signing description.
Instruction Scope: okSKILL.md instructs the agent to call the goodwallet CLI, perform interactive browser auth, check balances before state-changing ops, and confirm with the user before signing or sending funds. It does not instruct reading unrelated files or exfiltrating data. The instructions explicitly avoid fabricating values and limit raw output.
Install Mechanism: noteInstall is via the npm package 'goodwallet' (global binary). npm installs can run arbitrary install scripts and are moderate risk but are appropriate for a CLI distributed via npm. The skill warns against using npx and expects a global install; this is unusual but not inherently malicious. Verify package publisher and version before installing.
Credentials: okThe skill does not request environment variables or unrelated credentials. It documents a local config path (~/.config/goodwallet/) holding encrypted MPC shares and auth tokens; storing such data locally is expected for a wallet CLI. Auth is via interactive browser-oauth rather than requiring secret env vars.
Persistence & Privilege: okalways is false and the skill is user-invocable. It does install a global CLI binary when user runs install, which writes to disk — expected for a CLI. The skill does not request blanket persistent privileges or attempt to modify other skills or system-wide agent settings.