Back to skill
Skillv0.2.1
ClawScan security
Pg Setup · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 21, 2026, 10:33 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, required artifacts, and endpoints are consistent with a first-time setup for the ProxyGate CLI; nothing in the files asks for unrelated secrets or performs unexpected actions.
- Guidance
- This skill appears coherent for setting up the ProxyGate CLI. Before installing or handing over keys: (1) verify the NPM package @proxygate/cli on the npm registry or the project's GitHub (maintainer, downloads, source) to reduce supply-chain risk; (2) prefer creating a scoped API key with limited permissions for agents rather than using long-lived high-privilege keys; (3) store API keys in a secure secret store if available and avoid pasting them into untrusted environments; (4) note that a global `npm install -g` runs code on your machine—use caution on production hosts; and (5) the CLI will read/write its own config and any keypair path you provide (~/.proxygate/keypair.json), so protect that file (permissions, encryption) if you use wallet auth.
Review Dimensions
- Purpose & Capability
- okThe name/description (ProxyGate setup) matches the instructions: installing a CLI, authenticating with an API key or wallet keypair, and verifying via gateway.proxygate.ai and app.proxygate.ai. References to CLI commands and config paths (~/.proxygate/config.json) are appropriate for this purpose.
- Instruction Scope
- okSKILL.md only instructs the agent to check/install the CLI, run login/whoami/proxy commands, and manage a keypair file — all within the expected scope. It does not instruct reading unrelated system files or sending data to unexpected endpoints; the referenced endpoints are the ProxyGate domain(s).
- Install Mechanism
- noteThis is an instruction-only skill (no install spec). It recommends installing @proxygate/cli with npm/pnpm (global install). Pulling and running a global npm package is normal for CLIs but carries the usual supply-chain risks (third-party npm code executes on install). Consider verifying the package on the npm registry/GitHub before running.
- Credentials
- okNo environment variables or unrelated credentials are requested. The only secrets involved are the ProxyGate API key or a local wallet keypair file, which are proportional to a CLI that supports API and on-chain wallet auth.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills, and only references its own config path (~/.proxygate/config.json) and optional keypair files. Autonomy (agent invocation) is the platform default and is not combined with other concerning privileges.