Skillv0.1.1

ClawScan security

Lista Lending · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 10:25 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement lending operations and mostly matches its description, but its runtime instructions let the agent autonomously run builds/install commands and write structured logs to disk, and the package metadata/requirements are inconsistent — review before enabling.
Guidance: Summary and practical steps to consider before installing or enabling this skill: - Functionality: This package implements lending-only operations and appears to be the right code for that purpose (vaults, markets, deposit/borrow/repay). It uses a separate wallet-connect skill for signing, which is appropriate. - Inconsistency to review: The registry metadata declares no required binaries or env vars, but SKILL.md requires Node >=18 and allows the agent to run `npm install`/`npm run build`. Confirm whether your environment will run build steps automatically and whether you are comfortable with that. - Build/install risk: If the agent runs `npm install`, it will fetch dependencies from npm and run build scripts on the host — audit package.json and package-lock.json (dependencies, dev scripts, postinstall hooks) before allowing an autonomous build. Prefer using the provided dist bundle (dist/cli/cli.bundle.mjs) so no network install is needed. - Logging/privacy: The skill can write structured debug logs to a file (path from --debug-log-file, SKILL_DEBUG_LOG_FILE, or DEBUG_LOG_FILE). Those logs may include CLI args, JSON outputs, wallet topics/addresses, or other sensitive data. If you enable the skill, avoid enabling debug logging or ensure logs are written to a secure location and retained appropriately. - Signing & consent: The SKILL.md states the agent should explain and get user consent before any on-chain write/sign action. Before trusting this behavior, inspect the executor/executeSteps code to confirm that signing is delegated to the wallet-connect skill (not performed by this skill using raw private keys) and that the code actually prompts for consent where promised. - Recommended actions before enabling: 1) Inspect package.json and package-lock.json for unexpected dependencies or postinstall scripts. 2) Prefer running the bundled dist artifact rather than rebuilding from sources on the agent host. 3) Verify the wallet-connect skill you will use is trusted and that private keys remain under your control. 4) If you must allow rebuilds, restrict network access for the build step or run builds in an isolated environment and audit the installed packages. If you want, I can: (a) list suspicious entries from package.json/package-lock (provide their contents), (b) search the code for any direct private-key usage or network endpoints, or (c) show exactly where the logging code will capture CLI args and how to disable it.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (Lista Lending) match the included code (vaults, markets, deposit/borrow/repay). It correctly depends on a wallet-connect component for signing. However the registry metadata lists no required binaries/env/primary credential while SKILL.md explicitly requires Node.js >=18, often needs npm build steps, and requires lista-wallet-connect; that mismatch is an inconsistency worth noting.
Instruction Scope: concernSKILL.md instructs the agent to run CLI and setup commands itself (e.g., `node dist/... version`, `npm install && npm run build`) and to rebuild wallet-connect if missing. Allowing the agent to run npm install/build autonomously grants it the ability to fetch and execute third-party packages and write to disk. The document also directs the agent to run commands 'directly as the agent; do not ask the user to run shell commands', expanding agent privileges. The skill also encourages automatic rebuilds when artifacts are missing, increasing exposure.
Install Mechanism: noteThere is no declared install spec in registry metadata, but the bundle includes source, dist, package.json and package-lock.json. A built bundle (dist/cli/cli.bundle.mjs) is present, so in normal use the agent need not run npm install. However SKILL.md explicitly allows/requests running `npm install` and `npm run build` when dist is missing — that will download dependencies from npm and execute build scripts. The absence of a declared install policy combined with build instructions is a moderate risk.
Credentials: concernThe skill declares no required credentials/env vars, which is consistent with its public metadata. Internally, the code reads several optional env vars for tuning (LISTA_* concurrency/timeouts) and debug logging (SKILL_DEBUG_LOG_FILE / DEBUG_LOG_FILE). The debug logging feature will capture structured stdout/stderr and append it to a local file, and it propagates SKILL_DEBUG_LOG_FILE to child processes. That can cause sensitive data (wallet topics, addresses, CLI args, JSON outputs) to be written to disk if debug logging is enabled — a privacy/security concern. There is no evidence in the provided code of exfiltrating secrets to external network endpoints beyond the expected SDK/API calls.
Persistence & Privilege: okThe skill is not marked always:true and does not claim to modify other skills' persistent configuration. Its debug-logging sets an environment variable for child processes when running, but it does not appear to persistently change system-wide agent configuration or enable itself unilaterally. The main privilege concern is the agent-run build/install behavior (see instruction_scope).