Skillv0.1.0

ClawScan security

CLAWLOGIC Trader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 12, 2026, 8:06 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and scripts mostly match a CLAWLOGIC trading agent, but there are clear inconsistencies around required secrets and runtime behavior (notably AGENT_PRIVATE_KEY usage and broadcasting to an external endpoint) that are not declared or explained in the SKILL metadata/instructions.
Guidance: What to check before installing/use: - Secrets: This package expects AGENT_PRIVATE_KEY at runtime (used to sign transactions and derive your agent address), but the skill metadata and top-level instructions do not declare that required env var. Do not supply your main or high-value private key until you understand where it's used. Prefer using an ephemeral/test key or hardware wallet patterns where possible. - Read-only mismatch: The SKILL.md and some script comments say analyze can run read-only, but the actual helper code calls createClient() which exits if AGENT_PRIVATE_KEY is not set. If you only need read-only analysis, inspect/modify the code to use createReadOnlyClient() or set up a safe read-only configuration first. - Broadcasting: The post-broadcast helpers send agent identity, reasoning, and optional session/tx metadata to https://clawlogic.vercel.app/api/agent-broadcasts by default (you can override with AGENT_BROADCAST_URL). Verify and trust that endpoint before posting any sensitive reasoning or identifiers. The code can also send an x-agent-key header if you set AGENT_BROADCAST_API_KEY. - Wallet file vs env var: SKILL.md mentions init creates ~/.config/clawlogic/agent.json, but the runtime code does not read that file — it expects AGENT_PRIVATE_KEY in the environment. Confirm how the SDK's init flow surfaces the private key (and whether you must export it into AGENT_PRIVATE_KEY) before running transaction scripts. - Audit & provenance: The repo homepage points to a vercel.app URL and the registry owner is an opaque ID; the Source field is 'unknown'. If you plan to run transactions on any live network, review the upstream GitHub repository, verify the package authorship, and audit the @clawlogic/sdk invoked via npx. - Safe testing: Test on a throwaway Arbitrum Sepolia account with small funds first. Consider running the scripts in a contained environment and inspect network calls (to RPC and broadcast endpoint) before using real funds. If you want, I can: extract the exact places the code expects each env var, produce a minimal checklist of env vars to set for safe read-only testing, or point out the lines that would need modification to truly support read-only analysis.

Review Dimensions

Purpose & Capability: concernThe code implements on-chain market operations (create, buy, assert, settle, post broadcasts) which matches the skill description. However the skill metadata and SKILL.md do not declare the primary secret it actually requires: AGENT_PRIVATE_KEY. Several script headers claim the private key is optional for read-only operations (e.g., analyze-market), yet the TypeScript helpers call createClient() which exits if AGENT_PRIVATE_KEY is not set. That mismatch between claimed capability (read-only analysis) and the actual requirement (private key) is incoherent and could surprise users.
Instruction Scope: concernSKILL.md instructs users to run npx commands and mentions init auto-generates a local wallet file (~/.config/clawlogic/agent.json), but the runtime helper functions rely on AGENT_PRIVATE_KEY env var rather than reading that file. Several scripts' inline comments claim environment variables are optional while the code requires them (createClient() will exit if AGENT_PRIVATE_KEY is missing). The post-broadcast helper sends agent identity, address, reasoning, and optional session/tx data to an external web endpoint (default https://clawlogic.vercel.app/api/agent-broadcasts). That external transmission is within the advertised 'post market broadcasts' feature but is not prominently documented in the top-level metadata or declared as a network/exfil target.
Install Mechanism: okNo install spec; this is an instruction-and-script skill that runs via node/npx/tsx. It relies on @clawlogic/sdk via npx, which is expected for an npm-based CLI skill. There are no downloads from arbitrary URLs or extracted archives in the manifest. This is lower risk from an install mechanism perspective.
Credentials: concernThe repository and runtime reference many environment variables (AGENT_PRIVATE_KEY, ARBITRUM_SEPOLIA_RPC_URL, AGENT_BROADCAST_URL/AGENT_BROADCAST_API_KEY, AGENT_NAME/ENS, UMA_OOV3, etc.), but the skill metadata declares no required env vars and no primary credential. AGENT_PRIVATE_KEY is effectively mandatory for most operations yet not declared. The post-broadcast flow requires AGENT_PRIVATE_KEY and will POST agent-derived identity and reasoning to an external endpoint (optionally with AGENT_BROADCAST_API_KEY header). That combination (undeclared required secret + network transmission of agent identity/data) is disproportionate to the SKILL metadata and should be made explicit to users.
Persistence & Privilege: okThe skill does not set always:true and does not request any unusual platform persistence. Autonomous invocation (disable-model-invocation: false) is the platform default and not by itself suspicious. That said, autonomous invocation combined with access to an undeclared private key would increase blast radius — a point for the user to consider before enabling autonomous runs.