Back to skill
Skillv0.2.1
ClawScan security
Pg Status · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 21, 2026, 10:33 PM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is mostly a CLI/SDK reference for ProxyGate status, but its instructions and reference docs include commands that read or modify wallet/config and perform deposits/withdrawals without declaring those sensitive requirements—this mismatch is concerning.
- Guidance
- This skill is a documentation helper for the ProxyGate CLI/SDK and seems useful for status checks, but it also includes examples for login, deposit/withdraw, and keypair usage without declaring that those credentials or files are needed. Before installing or enabling this skill: avoid giving the agent shell access or access to ~/.proxygate or any wallet/keypair files; do not provide API keys or private key files to the agent unless you explicitly trust the skill and its source; treat any commands that perform deposits/withdrawals or rotate keys as high-risk. If you intend to allow only read-only status checks, restrict the agent's runtime permissions (no file or shell access) or sanitize the skill to remove transactional examples. If you need clearer assurance, ask the skill author for provenance, a homepage/repo, and explicit justification for any privileged commands included in the docs.
Review Dimensions
- Purpose & Capability
- concernName/description say 'status' (balance, usage, listings, tunnel health), and the SKILL.md primarily documents read-only status commands. However the included reference also documents transactional and privileged commands (deposit, withdraw, login with keys, keypair paths, rotate-key) which go beyond a pure 'status' helper. The skill declares no required env vars or config paths, but its examples reference ~/.proxygate/config.json and ~/.proxygate/keypair.json and API keys.
- Instruction Scope
- concernRuntime instructions advise running the proxygate CLI and using the SDK; they reference authentication flows, keypair paths, gateway URL overrides, and commands that can move funds (deposit/withdraw) or modify credentials. The SKILL.md does not explicitly instruct the agent to read or exfiltrate files, but it does surface sensitive paths and CLI operations that could be run by an agent with shell access, which widens the scope beyond 'status checks'.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing is written to disk by the skill itself. This is low-risk from an installation perspective.
- Credentials
- concernThe skill declares no required environment variables or credentials, yet the content references API keys, keypair files, and gateway URLs that are required to perform many of the shown commands. That mismatch could mislead users into exposing keys or files when the skill itself didn't explicitly request them. Commands like `proxygate login --key`, `--keypair <path>`, and deposit/withdraw require sensitive credentials or access to wallet files.
- Persistence & Privilege
- notealways is false and there is no install behavior that modifies other skills or global config. The agent may invoke this skill autonomously (platform default), so if the agent has permission to run shell commands or access credential files, it could carry out the privileged CLI operations that appear in the docs. Autonomous invocation alone is not flagged, but combined with the above mismatches it raises operational risk.