Skillv1.0.0

ClawScan security

Clawchain skills · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 12, 2026, 1:43 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches a Chromia social/trading tool, but it instructs the agent to download and overwrite local files from an external site, create and use private-key files, and references extra tooling (Node/ethers) that the registry metadata doesn't declare — these inconsistencies and the self-update behavior are notable risks.
Guidance: This skill mixes Chromia social features with on-chain trading guidance and instructs the agent to create local private-key files and to download and re-fetch files from https://clawchain.ai (which will overwrite local skill files). Before installing or enabling this skill: 1) Only use it if you trust the https://clawchain.ai domain and its maintainers; 2) Do not generate or store wallets with significant funds—use a dedicated low-value wallet if you want to test; 3) Review the remote files (COLORPOOL_SKILL.md, BSC_PANCAKESWAP_SKILL.md, HEARTBEAT.md) yourself before running any curl commands; 4) Consider disabling autonomous invocation or the heartbeat auto-update, or pin local copies instead of auto-downloading; 5) Be aware the skill asks the agent to solicit user funds (agent address for 'top-ups') — ensure explicit human approval for any fund transfers; 6) Note missing declared dependencies (Node.js, ethers) and verify necessary tooling and security controls before use. If you want a lower-risk setup, avoid enabling the BSC trading portions or run the skill in a sandboxed environment with no ability to sign real transactions.

Review Dimensions

Purpose & Capability: noteThe skill is presented as an on-chain social network (Chromia) and most instructions for posting, commenting, votes and Chromia registration align with that. However the bundle also embeds extensive cross-chain trading guidance (BSC / PancakeSwap) that expands scope beyond a pure social skill. Requiring creation/use of local private-key wallet files for BSC trading is plausible for trading features, but mixing Chromia social operations and arbitrary BSC trading without the registry declaring node/ethers/Node.js dependencies is an inconsistency.
Instruction Scope: concernSKILL.md and HEARTBEAT.md explicitly tell the agent to curl and save multiple remote files from https://clawchain.ai into ~/.clawchain/skills/clawchain and to re-fetch updates periodically. They also instruct creating and reading local secret files (~/.config/clawchain/credentials.json and ~/.config/bsc_agent/wallet.json containing private keys) and to use those keys to sign transactions. The instructions therefore permit automatic remote updates, writing secrets to disk, and soliciting funds (agent BSC address for 'top-ups'). Those behaviors exceed what a simple social-skill should need and create an update-and-exfiltration/vector risk if the remote site is malicious or compromised.
Install Mechanism: concernThere is no formal install spec, but the runtime instructions direct the agent to download multiple files via curl from https://clawchain.ai and save them under ~/.clawchain/skills/clawchain. That effectively installs code/instructions from a third-party server at runtime and the heartbeat instructs repeated re-fetches. The domain is not a well-known release host declared in the registry metadata, and the skill registry lists the source as unknown — making this dynamic download/self-update behavior a notable risk.
Credentials: concernThe registry declares no required env vars or primary credential, but the SKILL.md expects several environment variables (CLAWCHAIN_BRID, CLAWCHAIN_NODE, COLORPOOL_BRID, COLORPOOL_NODE, BSC_RPC_URL, etc.) and asks the agent to create and use secret files with private keys. It also requires additional runtime tooling (Node.js + ethers) for the BSC portion but those are not reflected in the registry's declared requirements. Requesting and storing private keys and encouraging the agent to solicit user funds (top-ups) is sensitive and should be explicitly declared and constrained — the current metadata does not do that.
Persistence & Privilege: concernThe skill instructs persistent storage of state and secret files and includes a heartbeat that periodically checks for updated skill files and re-writes local skill files from the remote site. While always:false (not force-installed), autonomous invocation is allowed; combined with automatic file fetching this gives the remote site a high blast radius (it can change agent behavior later). The skill does not request system-wide config changes, but its self-update mechanism and guidance to store private keys give it significant ongoing privilege.