Back to skill
Skillv2.1.1
ClawScan security
Autonomous Agent Skills · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 11, 2026, 9:38 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and runtime instructions mostly match its stated purpose (wallets + x402 payments), but there are mismatches and omissions around declared environment/config requirements and the instructions allow autonomous creation/use of private keys and signing/pay flows — the user should review before installing or giving it any real keys/funds.
- Guidance
- This skill appears to implement what it claims (Aptos/EVM wallets, x402 payment flow, prediction/backtest/bank-link tools), but pay close attention before installing or supplying secrets: 1) Metadata omits required env vars/config — the code expects X402_FACILITATOR_URL, wallet private keys or wallet files (APTOS_PRIVATE_KEY, EVM_PRIVATE_KEY, APTOS_WALLET_PATH, EVM_WALLET_PATH), HF API keys, etc. 2) The skill reads/writes local wallet files and can sign transactions and submit payments — do NOT provide mainnet private keys or large balances; use testnet keys/funds only. 3) Verify the facilitator URL and repository source (package.json points at a GitHub repo); confirm the code you install matches the upstream repo and that the facilitator service is trustworthy. 4) If you need to allow autonomous agent invocation, restrict its permissions or require explicit user approval for payment actions. 5) If unsure, review the src/ files (attest-*, signPayment, mcp client) yourself or run the skill in a sandboxed/test environment first.
Review Dimensions
- Purpose & Capability
- noteThe name/description (x402 payments, predictions/backtests, bank linking, reputation scores) align with the included code (aptos/evm wallet, x402/mcp client, tools). Required binaries (node/npm) are appropriate. However registry/metadata declares no required env vars or config paths even though SKILL.md and package.json document many expected environment variables (X402_FACILITATOR_URL, HUGGINGFACE_API_KEY/HF_TOKEN, APTOS/EVM wallet paths or private keys, LLM_MODEL, etc.), which is an inconsistency that reduces transparency.
- Instruction Scope
- concernRuntime instructions and scripts read local wallet files (~/.aptos-agent-wallets.json, ~/.evm-wallets.json) and/or environment private keys (APTOS_PRIVATE_KEY, EVM_PRIVATE_KEY) and sign attestation/payment payloads, call external facilitator endpoints, and perform on-chain actions. Those actions are necessary for the stated payment capability, but the SKILL.md instructs the agent to access secrets and local wallet files that were not declared in the skill metadata and to contact external endpoints (facilitator, arnstein.ch flow page, GitHub raw URLs) — this is scope-expanding and should be explicit to users.
- Install Mechanism
- noteThere is no install spec provided by the registry (lowest transport risk). The package includes a full Node.js project with package.json/package-lock and many dependencies (LangChain, viem, @aptos-labs packages). Installing would require npm and will pull third-party packages from npm; that's expected for this functionality but the registry metadata not marking required env/config is inconsistent with the code. No remote arbitrary archive downloads were found.
- Credentials
- concernThe skill requires access to sensitive secrets in practice (wallet private keys, HF API keys, facilitator URL, optional GH_TOKEN) to operate, but the registry lists no required env vars or primary credential. The number and sensitivity of these credentials are proportionate to a payments/wallet skill — but they must be disclosed. The metadata omission is a red flag: the skill will access local keys/files and environment variables that a user may not expect to be needed.
- Persistence & Privilege
- notealways:false (no forced inclusion). disable-model-invocation:false (normal) — so the skill can be invoked autonomously by the agent. Given the skill can sign on-chain payments and retry MCP calls automatically, autonomous invocation increases blast radius (the agent could initiate payments). This is expected for a payment-capable tool, but users should be aware and restrict keys/funds to testnets or require user confirmation for spends.