Back to skill
Skillv6.0.5
ClawScan security
Upload Clawhub · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 7, 2026, 2:30 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (AI-driven DeFi execution on BSC) matches its instructions, but there are important inconsistencies and sensitive behaviors — notably undisclosed private-key requirements, guidance to persist that key in agent config files, and an external npm install recommendation — that warrant caution.
- Guidance
- This skill legitimately needs an operator private key to execute trades, but there are worrying gaps and choices you should consider before installing: 1) Metadata mismatch: the registry claims no required env vars while the SKILL.md requires RUNNER_PRIVATE_KEY — ask the publisher to fix this and explain why it was omitted. 2) Private key handling: do NOT use a main wallet; if you proceed, create a purpose-built operator wallet with minimal BNB and never store your main funds there. Prefer ephemeral session keys where possible and avoid writing the private key to persistent agent config files (the SKILL.md examples show adding it to Claude/Cursor configs). 3) Package provenance: SKILL.md recommends npm install -g shll-skills — verify the npm package publisher and inspect the GitHub repo source before installation. 4) PolicyGuard claims to enforce safety on-chain, but execute_calldata accepts arbitrary calldata (albeit subject to on-chain checks) — understand the on-chain policy rules and verify the listed PolicyGuard contract address on BscScan. 5) If you don't fully trust the source, decline to install or use a read-only setup (monitoring functions only) until you can audit the code and confirm the private-key handling and contract behavior. If you want, I can: summarize the exact places where a private key would be persisted in your agent, draft safer onboarding steps (ephemeral key or signing-service flow), or list questions to send to the skill author for clarification.
Review Dimensions
- Purpose & Capability
- noteThe skill's name and description (execute DeFi trades on BSC via SHLL/AgentNFA) are consistent with what the SKILL.md instructs: installing an shll CLI/MCP, running swaps, lending, and executing calldata through an on-chain PolicyGuard. However the registry metadata lists no required environment variables / primary credential while the SKILL.md clearly requires RUNNER_PRIVATE_KEY (operator wallet) and optionally SHLL_RPC — this metadata mismatch is surprising and should be corrected/clarified.
- Instruction Scope
- concernRuntime instructions explicitly require an operator private key, instruct adding that key into agent configuration files (examples show editing Claude and Cursor MCP config files), and direct the agent to set RUNNER_PRIVATE_KEY automatically for sessions. The tool also exposes execute_calldata/execute_calldata_batch (raw calldata execution through PolicyGuard). These instructions involve reading/writing local agent configs and handling a highly sensitive secret, which broadens the skill's scope beyond a simple read-only tool and gives the agent discretion to persist a private key.
- Install Mechanism
- noteNo install spec is embedded in the registry, but SKILL.md recommends installing an npm package (npm install -g shll-skills) from the public npm registry and links to a GitHub repo. Installing a third-party global npm package is a standard but nontrivial action (downloads and runs external code) and therefore moderate risk — verify the npm package and GitHub source before installing.
- Credentials
- concernThe skill requires a RUNNER_PRIVATE_KEY (explicitly marked required in SKILL.md) and recommends storing it in env/config for MCP integration. Requesting a dedicated operator key is proportionate to an autonomous trading agent, but the registry metadata fails to declare this. Persisting a raw private key in agent config files (e.g., claude_desktop_config.json or .cursor/mcp.json) or having the agent set it automatically increases exposure; this is especially sensitive and should be limited to ephemeral, minimal-privilege keys only.
- Persistence & Privilege
- concernThe skill does not set always:true, but the instructions encourage persistent configuration changes (adding shll-mcp to agent mcpServers entries with RUNNER_PRIVATE_KEY embedded). That produces long-lived secret storage on disk and grants persistent execution capability to the agent. Combined with write tools (swap, transfer, execute_calldata), this persistent secret raises the blast radius if the key or the installed package is compromised.