ClawHub
Back to skill
v1.0.0

stable-layer-sdk

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:37 AM.

Analysis

The skill appears coherent and not clearly malicious, but it needs review because it centers on signed mainnet blockchain transactions using a raw private key and an external npm package with no included source.

GuidanceInstall only if you trust and have verified the npm package and Stable Layer protocol. Do not paste private keys into an agent or application; use a safer signing method, test on testnet, and manually approve each mainnet transaction.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
It supports minting and burning stablecoins, and claiming yield farming rewards... await suiClient.signAndExecuteTransaction({ transaction: tx, signer: keypair });

The skill documents constructing and executing signed blockchain transactions that can move or alter financial assets, without explicit approval or transaction-review safeguards in the instructions.

User impactIf followed carelessly, an agent or user could submit asset-affecting transactions on mainnet that may be hard or impossible to reverse.
RecommendationUse testnet first, manually review every transaction payload and amount before signing, and require explicit user approval for any mint, burn, claim, or transfer.
Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
SKILL.md
npm install stable-layer-sdk @mysten/sui @mysten/bcs

The skill asks users to install external npm code, while the provided artifact set contains no SDK source and the registry metadata lists an unknown source/no homepage; this matters because that code would be used in a private-key blockchain transaction workflow.

User impactA wrong, compromised, or unexpected npm package could influence transaction construction or signing behavior.
RecommendationVerify the npm package owner and source repository, pin exact versions, inspect the package code and lockfile, and avoid using it with valuable keys until provenance is established.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
const keypair = Ed25519Keypair.fromSecretKey(YOUR_PRIVATE_KEY);

The example uses a raw private key to create a signer, which grants authority over the associated Sui account and assets.

User impactExposing a private key to an agent, script, or dependency can compromise the wallet and allow unauthorized transactions.
RecommendationAvoid giving raw private keys to the agent or application; prefer a hardware wallet, wallet adapter, or scoped signing flow, and keep keys outside prompts and code examples.