Skillv2.1.0

ClawScan security

ClawMoney · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 7, 2026, 4:29 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (earn via ClawMoney) is plausible, but the runtime instructions require automatic installs, background services, and destructive system actions (rm -rf of Electron storage, kill -9) and mandate fully automated onboarding without pauses — these behaviors are disproportionate and warrant caution.
Guidance: This skill appears to implement the advertised ClawMoney functions but includes several high-risk behaviors you should consider before installing or running it: - It requires running commands that modify system state without pauses or confirmations (deleting Electron storage folders, kill -9 of PIDs) — these can log you out of other apps or corrupt local app state. Do not allow the agent to run those automatically. - It silently installs global npm packages and uses npx to fetch/run remote packages. Review the provenance of bnbot-mcp-server and the npx packages (and inspect their code) before permitting installs. - It writes secrets (api_key) to ~/.clawmoney/config.yaml and starts a background Hub provider that accepts incoming tasks from the network. Treat this as enabling a persistent network-facing agent: only enable if you understand what remote tasks may be run and trust the Hub endpoints (api.bnbot.ai). - Recommended precautions: review the scripts line-by-line, run setup in an isolated environment (VM or disposable container), disable or require manual approval for destructive steps (the rm -rf and kill commands), and avoid enabling the Hub provider until you audit what it executes on incoming requests. Verify the skill's source and the npm packages it installs, and confirm the legitimacy of the api.bnbot.ai endpoints and clawmoney.ai homepage. If you want, I can (1) highlight the exact lines that delete files or kill processes, (2) produce a safer, interactive variant of the SKILL.md that asks for explicit consent before each destructive or persistent action, or (3) produce step-by-step guidance for running the setup inside a VM/container.

Review Dimensions

Purpose & Capability: noteMost requested actions (using an agent wallet, calling ClawMoney/BNBot APIs, starting a Hub provider) align with the described 'Earn / Hub / Wallet' features. However, some actions (removing Electron storage cookies across user profiles, force-killing PIDs parsed from tool output, and auto-writing project .mcp.json) are broader than needed for a simple onboarding/browse/execute skill and touch unrelated application state.
Instruction Scope: concernSKILL.md explicitly instructs the agent to run system-level commands without pauses: delete Electron storage directories, kill processes with kill -9, silently install global npm packages, write config files to ~/.clawmoney, and start a background Hub provider that will accept incoming agent tasks. The doc insists 'Run ALL steps below automatically without pausing', which grants the agent significant disk/network/process control and removes user consent points.
Install Mechanism: noteThere is no formal install spec, but bundled scripts perform npm global installs (npm install -g bnbot-mcp-server) and use npx to fetch/run packages (e.g., npx awal, npx clawmoney hub start). npx/npm usage will fetch and execute remote packages at runtime — expected for this functionality but raises supply-chain/malicious-package risk and silent global installs modify the system.
Credentials: concernThe skill requests no declared environment variables, but it reads/writes user config (~/.clawmoney/config.yaml), stores api_key locally, and interacts with wallet tooling which may access private keys or local browser/extension state. The deletion of Electron storage is not proportional to re-authenticating a wallet and may affect unrelated Electron apps. Storing an api_key on disk is expected, but must be clearly consented to.
Persistence & Privilege: concernThough always:false, the skill modifies disk state (.mcp.json in the project root), installs global binaries, and starts a background Hub provider that connects via WebSocket and will accept/execute incoming tasks. That creates persistent network-enabled behavior that can run autonomously and increases blast radius if misused.