Skillv6.0.5

ClawScan security

Upload Clawhub · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 7, 2026, 2:32 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (automated DeFi execution) matches needing an operator private key, but the SKILL.md instructs agents to persistently set and embed that sensitive key into agent configs and automate handling across other agents — a scope and persistence mismatch that raises risk and incoherence with the registry metadata.
Guidance: Before installing or enabling this skill: - Do not reuse any main/owner/private wallets. If you test, create a dedicated operator wallet with minimal BNB (as the SKILL.md recommends). - Resolve the metadata mismatch: the platform metadata lists no required env vars but SKILL.md requires RUNNER_PRIVATE_KEY. Ask the publisher to correct the registry entry and explain how the key is supplied at runtime. - Never paste your main private key into chat. Prefer ephemeral keys or local environment variables managed by you, not written into persistent agent config files. - The SKILL.md recommends writing RUNNER_PRIVATE_KEY into agent config files (e.g., Claude/Cursor). Avoid storing a private key in plaintext config files — request alternative signing workflows (local signer, hardware wallet, or ephemeral session only) or confirm that the key is encrypted at rest and not uploaded anywhere. - Verify the on-chain contract addresses and review the PolicyGuard contract on BscScan (the SKILL.md gives an address; independently confirm the published source matches expected behavior). - If you plan to install the npm package, audit the package source code (GitHub repo and published tarball) locally before running it; prefer installing in an isolated VM/container. - Ask the developer how the agent receives and stores the RUNNER_PRIVATE_KEY at runtime, whether it performs any network calls with the key, and whether any logs might leak it. - If you are not comfortable with storing or letting an agent handle a private key, do not install the skill. Consider read-only alternatives or strictly manual signing flows. Providing these clarifications and mitigations to the skill author (or withholding enabling the skill until answered) will reduce the risk of accidental key exposure.

Review Dimensions

Purpose & Capability: noteThe claimed capability (execute policy-limited DeFi trades on BSC) legitimately requires an operator wallet private key and RPC config; that aligns with the SKILL.md. However, the registry metadata provided to the platform lists no required env vars while the SKILL.md explicitly requires RUNNER_PRIVATE_KEY (and optionally SHLL_RPC). That metadata mismatch is an incoherence that should be resolved before trusting the skill.
Instruction Scope: concernSKILL.md instructs agents to automatically set RUNNER_PRIVATE_KEY for the session and to place the key into various agent config files (e.g., Claude and Cursor configs). It instructs the agent not to ask users to edit env vars manually. This expands the agent's scope to reading/writing persistent user config files and handling a highly sensitive secret, which is broader and riskier than a simple tool invocation. The instructions also advise installation via npm and reference executing arbitrary calldata through PolicyGuard (a legit capability but higher-risk if misused).
Install Mechanism: noteThere is no platform-level install spec, but SKILL.md recommends installing 'shll-skills' from the public npm registry (npm install -g shll-skills). Installing from npm is a common pattern (moderate risk) but since the registry metadata lists no install, the discrepancy should be clarified. The skill does not point to opaque URLs or downloads, which is better than an arbitrary archive URL.
Credentials: concernRequesting a single operator private key (RUNNER_PRIVATE_KEY) is proportionate to performing on-chain trades, but the instructions encourage embedding that private key into persistent agent configs and automating its setting — practices that increase exposure. The platform metadata claiming 'none' for required env vars conflicts with the SKILL.md requirement. SHLL_RPC as optional is reasonable.
Persistence & Privilege: concernalways:false (good), but SKILL.md's guidance to edit agent config files to include RUNNER_PRIVATE_KEY creates persistent storage of a sensitive secret in user-facing config files. The skill's instructions effectively ask for long-lived presence of the private key in agent configurations, which increases blast radius if the key is mishandled. The skill does not declare that it will avoid persisting secrets, and telling the agent to 'set' the key automatically is ambiguous and risky.