Skillv1.0.0

ClawScan security

ABI-to-MCP: The Web3 Skill Architect · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 9:06 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (interacting with ERC‑20 contracts) matches its instructions, but the runtime instructions require sensitive environment variables (PRIVATE_KEY, RPC_URL, CONTRACT_ADDRESS) that are not declared in the registry metadata — this mismatch and the need to handle private keys is a security concern.
Guidance: This skill will ask the agent to use an RPC URL and a private key to send transactions. Before installing: 1) Treat PRIVATE_KEY as extremely sensitive — do not paste your main account private key into environment variables for third‑party skills. Prefer external signers (hardware wallets, MetaMask WalletConnect) or a dedicated burner account with minimal funds and privileges. 2) Ask the publisher to update metadata to declare required env vars and a primary credential so you can see the need up front. 3) Confirm what write operations the skill will perform (mint/burn require privileged roles on the contract). 4) If you must test, use a testnet or a throwaway account and set low allowances/limits. 5) If you cannot verify the source (no homepage, unknown owner), avoid providing real private keys or automatic signing consent. Additional information that would raise confidence: an explicit primaryEnv in metadata, source code or trustworthy repo link, and instructions to use an external signer rather than an env var PRIVATE_KEY.

Review Dimensions

Purpose & Capability: concernThe skill claims to interact with ERC‑20 contracts and the SKILL.md describes read/write functions (including transfer, approve, mint, burn). Those capabilities legitimately require an RPC endpoint, contract address, and a signing key. However, the registry metadata declares no required environment variables or primary credential, creating an inconsistency between what the skill says it needs at runtime and what the package requests in metadata.
Instruction Scope: concernSKILL.md explicitly instructs the runtime to use RPC_URL, PRIVATE_KEY, and CONTRACT_ADDRESS and to execute write transactions that consume gas. The instructions remain within the stated purpose (blockchain reads/writes) but they direct the agent to handle a private key and perform state-changing operations — actions that can transfer funds or change token supply. The file does not specify safe signing practices (e.g., using an external signer) or limit the agent's discretion, which increases risk.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files. Nothing will be written to disk by an installer — low install risk. However, runtime behavior depends on the agent following the SKILL.md instructions.
Credentials: concernSKILL.md requires three sensitive values (RPC_URL, PRIVATE_KEY, CONTRACT_ADDRESS) but the skill metadata lists none and sets no primary credential. Requiring a PRIVATE_KEY is proportionate to performing write transactions, but not declaring it in metadata is an incoherence and a red flag. The PRIVATE_KEY is highly sensitive: exposing it allows full control of on‑chain assets for that account.
Persistence & Privilege: okThe skill does not request always:true and does not claim to modify other skills or system configuration. Default autonomous invocation is allowed (platform default) and should be considered in combination with the other concerns, but it is not by itself a misconfiguration here.