Skillv1.0.0

ClawScan security

ClawDex Trading · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 13, 2026, 6:46 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's runtime instructions are coherent for a Solana trading CLI, but there are important mismatches and risks: it refers to wallet files and environment secrets that are not declared, and it instructs installing a remote npm package — all of which could let the agent perform real on‑chain trades or access private keys if invoked autonomously.
Guidance: This skill can run real trades and expects access to a local Solana wallet and an API key, but those requirements are not declared in the registry metadata — treat it as risky until clarified. Before installing or enabling it: 1) Do not keep high-value private keys at the default path if you plan to let an agent run such skills; use a dedicated low-value wallet for automation. 2) Require explicit user confirmation for any non-simulated swap or disable autonomous invocation for this skill. 3) Verify the clawdex npm package source (repository, authors, recent releases) and consider pinning a known-good version instead of installing latest. 4) Ensure JUPITER_API_KEY and SOLANA_RPC_URL are managed securely (use environment isolation/secrets manager) and rotate credentials if exposed. 5) Ask the skill author to update the manifest to declare required env vars and document the expected wallet usage and safety model — that would materially reduce the risk and could change this assessment.

Review Dimensions

Purpose & Capability: noteThe name/description (Solana trading via ClawDex/Jupiter) matches the CLI commands shown. However the SKILL.md references environment values and paths (JUPITER_API_KEY, SOLANA_RPC_URL, and ~/.config/solana/id.json) that are required for operation but are not declared in the skill's metadata. That omission is an incoherence between declared requirements and actual needs.
Instruction Scope: concernThe instructions explicitly direct the agent to run clawdex CLI commands that can simulate and execute real swaps (including a required '--yes' for non-interactive execution). They also reference a local wallet file (~/.config/solana/id.json) and an API key. The skill gives the agent permission to read local config and perform fund-moving operations if the wallet is present — this is beyond a purely read-only or quote-only skill and requires explicit, declared consent mechanisms.
Install Mechanism: noteThere is no install spec in the registry, but the SKILL.md suggests running `npm install -g clawdex@latest`. Installing an npm package at runtime pulls code from a remote package registry and grants it execution on the host; this is a legitimate way to obtain a CLI but increases supply-chain risk and should be acknowledged explicitly in the manifest (package provenance, expected version, and source repository).
Credentials: concernThe skill uses and expects secrets/credentials (JUPITER_API_KEY, possibly wallet private key at ~/.config/solana/id.json and RPC URL) yet the skill metadata declares no required env vars or primary credential. Requesting access to a local wallet file and to an API key without declaring them is disproportionate and makes it easy to accidentally expose private keys or allow automated trades.
Persistence & Privilege: concernalways:false (good) but model invocation is allowed (default). Combined with instructions that enable non-interactive swaps (`--yes`) and access to a local wallet, the agent could autonomously execute financial transactions if invoked. The skill does not require explicit interactive confirmations in its manifest; that gap increases risk for autonomous agents.