Back to skill
Skillv0.2.1
ClawScan security
Pg Buy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 21, 2026, 10:33 PM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to do what it says (buy API access via ProxyGate) but its runtime instructions reference sensitive local wallet/keypair files and on-chain deposit/withdraw actions while the declared metadata does not advertise any required credentials or config access — this mismatch plus the ability to move funds and proxy arbitrary requests is concerning.
- Guidance
- This skill seems to be a legitimate ProxyGate buyer helper, but it tells the agent to use your local Solana keypair and CLI to deposit/withdraw USDC and to proxy arbitrary API requests — actions that require access to sensitive secrets and can move money. Before installing: (1) verify the skill's provenance (homepage, author, and source code) — this skill has no homepage listed; (2) assume the agent will need access to ~/.proxygate/keypair.json and ~/.proxygate/config.json or an API key; do not expose your full wallet/private key unless you trust the skill and its author; (3) prefer using a dedicated limited-funds wallet or test keypair and enable dry-run flags when possible; (4) require explicit user confirmation for any deposit/withdraw commands (ask the platform maintainer how to enforce confirmation); (5) if you cannot verify the author or you need stricter guarantees, decline or restrict the skill until it declares required credentials and a clear consent flow.
Review Dimensions
- Purpose & Capability
- noteThe skill's stated purpose (buying API access through ProxyGate) matches the CLI/SDK commands in SKILL.md: balance checks, deposits, proxy requests, ratings, withdrawals. Requiring a Solana wallet or API key is logically consistent with that purpose. However, the skill metadata declares no required env vars or config paths, while the instructions explicitly reference a keypair path (~/.proxygate/keypair.json) and config (~/.proxygate/config.json). That mismatch is unexpected and should have been declared.
- Instruction Scope
- concernThe SKILL.md tells the agent to run commands that access local wallet/keypair files, initialize a vault, deposit USDC (on-chain), withdraw funds, and proxy arbitrary upstream API requests (including streaming and shield modes). These actions involve sensitive local files and financial transactions and will send data to external endpoints (gateway.proxygate.ai and upstream APIs). The instructions also encourage always using this skill for many user intents, giving broad discretion. There is no explicit requirement in the document that the agent must obtain explicit user confirmation before performing fund-moving commands.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files. That reduces attack surface from supply-chain installs; the skill will only instruct the agent to call existing CLI/SDK tools assumed to be present.
- Credentials
- concernThe skill metadata lists no required environment variables or credentials, yet the docs reference API keys and a Solana keypair file, and CLI flags exist to override API key or point to a keypair. Those are sensitive secrets (wallet private keys / API keys) and should have been declared. The agent may be directed to read or use these secrets, which is disproportionate relative to the declared (empty) requirements.
- Persistence & Privilege
- concernalways: false (good), but the skill is allowed autonomous invocation (platform default). Combined with the ability to perform deposits/withdrawals and the SKILL.md's recommendation to 'Make sure to use this skill whenever...' this gives an autonomously-invoked skill the potential to perform financial operations without clear manual confirmation. That combination increases risk and should be mitigated by requiring explicit user consent for fund-moving actions.