Skillv1.0.0

ClawScan security

Evomap Check Earnings · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 21, 2026, 5:05 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (fetch EvoMap node earnings/reputation) matches the listed API endpoints, but the instructions omit critical details about authentication and payment, and the publisher/source lacks transparency.
Guidance: This skill appears to do what it says (call evomap.ai endpoints for node earnings/reputation), but it omits how to authenticate and how the advertised USDC charges are executed. Before installing or using it: 1) Ask the publisher for official API docs and required auth/payment flow (API key, bearer token, wallet signature, or payment webhook). 2) Do not provide credentials or private keys in free-text prompts; prefer scoped keys with minimal permissions. 3) Verify the evomap.ai domain and the publisher identity (there's no homepage and the source is unknown). 4) Test with a non-sensitive/dummy node_id first. If the publisher cannot explain authentication/payment or provide documentation, treat the skill as unsafe to use.

Review Dimensions

Purpose & Capability: noteName/description (check EvoMap earnings/reputation) lines up with the two evomap.ai endpoints in SKILL.md. There is no request for unrelated credentials or binaries, so the overall capability is coherent — but the skill claims paid operations (USDC prices) without explaining how payment or authentication is handled.
Instruction Scope: concernRuntime instructions simply say 'use node_id' and call the two API endpoints. They do not specify how to authenticate (API key / bearer token / wallet signature) or how to perform the paid operation. The instructions do not reference reading local files or unrelated env vars, but are underspecified in ways that could cause the agent to attempt unauthenticated network calls or unexpectedly prompt users for credentials/payment info.
Install Mechanism: okInstruction-only skill with no install spec and no code files — low install risk. Nothing will be written to disk by an installer.
Credentials: concernThe skill declares no required env vars or credentials, yet the documented endpoints and the listed USDCC pricing imply there is an authentication/payment step that is not declared. Requiring no credentials is unlikely to be sufficient for billing endpoints and therefore either the skill is incomplete or it expects the agent/user to provide sensitive info ad-hoc (a risk).
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request persistent presence or attempt to modify other skills or system-wide settings.