Skillv1.0.0

ClawScan security

Clawphunks · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 5, 2026, 12:11 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (minting/trading NFTs) matches the code, but there are inconsistent and under-declared secret requirements, instructions that encourage writing/handling private keys, and use of external endpoints that deliver executable scripts — so proceed only after careful review.
Guidance: This skill is about minting/trading NFTs and contains full server and client code, but it asks for sensitive wallet keys and provides instructions that write keys to disk and fetch executable scripts from external domains. Before installing or providing any private key: (1) review every source file yourself (or have a trusted auditor) to confirm what env vars are actually read and what remote hosts are contacted; (2) do not reuse an existing high-value wallet — create a new wallet funded with minimal funds for testing; (3) avoid pasting long-term private keys into agent-level env variables unless you fully trust the code and host; (4) verify the smart-contract addresses and on-chain contracts independently (Etherscan/chain explorers) before sending value; (5) if you plan to let an autonomous agent invoke this skill with a private key, add strict policy controls (spending limits, require human approval) or avoid providing the private key at all and use an external signing service/wallet that enforces approvals.

Review Dimensions

Purpose & Capability: noteThe name/description (mint & trade ClawPhunks) align with the included server, MCP, LangChain and AgentKit integrations and the package.json dependencies. However the metadata declares only WALLET_PRIVATE_KEY as a required env var while the code/docs reference many other secrets (SIGNER_PRIVATE_KEY, AGENT_PRIVATE_KEY, SUPABASE_SERVICE_KEY, FACILITATOR_URL, etc.), which is an inconsistency — either the metadata is incomplete or the skill expects more credentials than declared.
Instruction Scope: concernRuntime instructions and included files instruct agents/users to POST to external endpoints, fetch executable scripts from another domain (chainhost.online /clawphunks/skills), generate and persist private keys to .env, and sign payment authorizations. The SKILL.md plus mcp get_mint_code explicitly guides saving private keys to disk and producing signed payment payloads — actions that go beyond simple read-only queries and expand scope to secret handling and remote code retrieval.
Install Mechanism: noteThere is no install spec in the skill bundle (instruction-only at registry level), which lowers immediate installation risk, but the package includes full source and a package.json with many runtime dependencies (coinbase SDK, supabase, viem, aws sdk, x402-express, etc.). If you or an agent run/install this project, it will pull many third-party packages — review them and prefer executing in an isolated environment.
Credentials: concernThe declared required env var is a single WALLET_PRIVATE_KEY (primary credential). The code and docs, however, reference multiple sensitive env vars (SIGNER_PRIVATE_KEY, AGENT_PRIVATE_KEY, SUPABASE_SERVICE_KEY, PAYMENT_RECIPIENT, FACILITATOR_URL, GAS_STIPEND_WEI) that are not listed in the metadata. Requiring a wallet private key is plausible for an agent that must sign transactions, but giving a private key to a skill that will fetch and potentially return executable scripts increases attack surface; the env requirements are under-declared and therefore disproportionate without additional justification.
Persistence & Privilege: noteThe skill does not request always:true and does not appear to modify other skills or global agent configs. Autonomous invocation is allowed (default). That is expected for an agent-facing NFT tool, but combined with the skill's request for a private key and ability to fetch scripts from external domains, autonomous invocation raises additional risk — ensure the agent's wallet policies and invocation safeguards are appropriate.