Skillv1.0.0

ClawScan security

cetus · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 12, 2026, 7:12 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only documentation skill for the Cetus Protocol SDK on Sui; its requested resources and instructions align with that purpose and it does not request credentials, install code, or perform unexpected operations.
Guidance: This skill is a documentation bundle for the Cetus Protocol SDKs and appears internally consistent. Before you use it or run the example code: 1) Verify the upstream source (the README points to https://github.com/k66inthesky/cetus) and confirm package names/versions on npm/GitHub to avoid typosquatting. 2) When you run example npm installs, pin versions and inspect package release pages and dependencies; review any postinstall scripts. 3) The examples include creating transaction payloads and setting sender addresses — do not paste private keys into untrusted prompts or environments; use testnet and a throwaway wallet when experimenting. 4) Because the skill is documentation-only, it won’t itself fetch code or run commands, but following its examples will cause npm/network activity on your machine — treat those like any third-party package install. If you want higher assurance, fetch the referenced SDK repos directly from their official sources and audit them before installing.

Purpose & Capability: okThe skill name and provided SKILL.md are documentation for the Cetus Protocol SDKs (CLMM, DLMM, Vaults, Farms, etc.). There are no declared env vars, binaries, or unrelated requirements. The content (npm package names, initialization examples, API calls) matches the claimed purpose.
Instruction Scope: okSKILL.md contains API reference, npm install commands, and code examples for using the SDKs. It does not instruct the agent to read local system files, exfiltrate data, contact unexpected endpoints, or access secrets. Some examples show building transaction payloads and setting a sender address (placeholder values), which is expected for an SDK doc; the skill does not request private keys or instruct signing/execution itself.
Install Mechanism: okNo install specification or code files are included — this is instruction-only. That is the lowest-risk install model (nothing is written to disk by the skill itself).
Credentials: okThe skill declares no environment variables or credentials. Examples reference Sui wallet addresses but do not require or request private keys or tokens. This is proportionate for an SDK documentation skill.
Persistence & Privilege: okThe skill is not marked always:true and has no install actions or configuration writes. It does not request persistent system presence or modification of other skills/configs.