ClawHub
Back to skill
v1.0.0

Ts Sdk Account

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:37 AM.

Analysis

This is a documentation-only Aptos SDK account-signing skill that appears coherent, but it discusses private keys and transaction submission, so real keys and funds should be handled carefully.

GuidanceUse this as documentation, not as an instruction to run transactions automatically. Keep Aptos private keys and mnemonics server-side, never paste them into chat or commit them, and verify all signing/submission examples against official Aptos docs before using real funds.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
Use `aptos.signAndSubmitTransaction({ signer: account, transaction })`

The skill documents transaction signing and submission. This is expected for an Account signer guide, but if used with a real funded account it can mutate on-chain state.

User impactGenerated or copied code could submit blockchain transactions, potentially moving funds or changing account state if run with a real signer.
RecommendationRequire explicit review of the network, transaction payload, recipient, and amount before running signing or submission code.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
metadata
Source: unknown; Homepage: none

The registry metadata does not provide an upstream source or homepage to verify the documentation provenance, while the skill presents Aptos SDK guidance involving private-key use.

User impactUsers may assume the guidance is official or current even though the registry metadata does not provide a verifiable source link.
RecommendationCompare the examples against official Aptos TS SDK documentation before using them with production keys or funds.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
Load private keys from env (e.g. `process.env.PRIVATE_KEY`) on server

The skill instructs use of private key material from environment variables. This is purpose-aligned for an Aptos signer guide and includes safe handling advice, but private keys grant account authority.

User impactA real Aptos private key or mnemonic can control an account and authorize transactions.
RecommendationUse server-only secrets, avoid pasting keys or mnemonics into prompts or logs, prefer testnet keys while experimenting, and rotate any exposed key.