Skillv1.0.2

ClawScan security

trongrid-contract-analysis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 19, 2026, 9:48 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only TRON contract analysis guide that is internally consistent with its stated purpose and does not request unnecessary credentials, installs, or unrelated system access.
Guidance: This is an instruction-only TRON contract analysis skill that calls public TronGrid/MCP endpoints to gather ABI, transactions, events, holders and estimate energy — it does not install code or request secrets. Before installing, confirm your agent environment permits outbound calls to TronGrid (and whether an API key is needed), be aware the safety analysis is heuristic (not a formal audit), and expect rate-limiting if used heavily. There are no signs of file exfiltration or unrelated credential requests in the provided instructions.

Review Dimensions

Purpose & Capability: okThe name and description (TRON smart contract analysis) match the SKILL.md: all required calls are to TronGrid/MCP endpoints and the steps (ABI, transactions, events, holders, energy, safety scoring) are coherent and expected for this purpose.
Instruction Scope: noteInstructions stay within contract analysis scope (calls to getContractInfo, getContract, getTrc20Info, getContractTransactions, getEventsByContractAddress, getContractInternalTransactions, getTrc20TokenHolders, estimateEnergy, getAccount). They do not instruct reading local files or unrelated env vars. Note: the guide references analyzing bytecode patterns and classifying callers, which are heuristic tasks but still within scope.
Install Mechanism: okNo install spec or code files are present (instruction-only), so nothing is written to disk and there is no third-party package installation risk.
Credentials: noteThe skill declares no required environment variables or credentials. This is reasonable for read-only blockchain queries if public RPC access is used, but in practice TronGrid/MPL endpoints sometimes require API keys or rate-limited access—the SKILL.md does not document handling of API keys or rate limits.
Persistence & Privilege: okThe skill does not request persistent/always-on presence (always: false) and does not modify agent/system configuration in the instructions. Autonomous invocation is allowed by default but is not combined with other concerning privileges.