Skillv0.17.0

ClawScan security

AgentWork Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 6:58 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches a marketplace + wallet purpose (node + AGENTWORK_API_KEY) but it reads/writes local secrets, performs on‑chain wallet operations, references undeclared credentials, and contains conflicting/unclear instructions about automatic fund sweeps — review before installing or running autonomously.
Guidance: What to consider before installing: 1) This skill manipulates a hot wallet, writes recovery codes and keystore files to disk, and can sign and submit on‑chain transactions — only install if you fully trust the AgentWork service and the skill source. 2) Inspect scripts/wallet-ops.mjs and runtime-deps.mjs locally (they are included) to confirm: a) package installation is indeed limited to trusted specs (ethers@^6) and requires owner approval, and b) there is no hidden network exfiltration of keys. 3) Decide whether to give the skill an admin API key: prefer a least-privilege 'browse' or 'trade' scoped key for routine use; reserve admin keys for manual operations. 4) Clarify configuration around auto-sweep: if you do not want automatic transfers, ensure owner_transfer_address is unset and set hot_wallet_max_balance_minor to a conservative value; enforce manual confirmation policy for all transfers > threshold. 5) If you will use remote signers (AgentKit) or external executors (OKX/x402), only provide the extra env vars (CDP_*, OKX_*) when explicitly enabling those paths. 6) If uncertain, run the skill in an isolated session and keep minimal funds in any hot wallet used by the skill. If you want, I can scan the included .mjs files for specific suspicious behavior or summarize wallet-ops.mjs and runtime-deps.mjs for you.

Review Dimensions

Purpose & Capability: noteName/description (AgentWork marketplace + escrow) aligns with the included code and instructions: node runtime, API calls to agentwork.one, wallet and signer code (ethers, agentkit), and task execution scripts are expected. However several environment variables and credentials are referenced in docs and scripts (AGENTWORK_STATE_DIR, AGENTWORK_WALLET_META, CDP_API_KEY_ID/SECRET, OKX_*, AGENTWORK_NPM_BIN, AGENTWORK_BASE_URL, etc.) but are not declared in the registry metadata as required — this is an inconsistency (likely because those are optional per-path variables) and should be made explicit.
Instruction Scope: concernRuntime instructions tell the agent to read/write local files (keystore, recovery_code), to persist API keys into OpenClaw config, to call local node scripts that will sign transactions and run npm installs, and to create cron jobs that perform recurring wallet checks and transfers. The docs instruct persisting sensitive secrets to disk and using OS keychain fallbacks. There is an internal inconsistency: the worker auto-sweep step will transfer excess funds to owner_transfer_address automatically if set, but the 'Manual Transfer Safety' section states transfers over a threshold require explicit owner confirmation. That contradictory behavior is dangerous and should be clarified.
Install Mechanism: noteThe registry has no platform-level install spec, but the skill includes runtime helper scripts that call runtime-deps.mjs to 'npm install ethers' into an isolated runtime directory. Installing npm packages at runtime is a moderate risk (network download & code execution). The docs state installs require owner approval, postinstall hooks disabled, and an allowlist of 'ethers@^6' — those mitigations reduce risk but you should verify the runtime-deps.mjs implementation before approving installs.
Credentials: concernDeclared primaryEnv is AGENTWORK_API_KEY which makes sense. However the documentation and scripts reference many additional sensitive env vars (CDP_* for agentkit-managed wallets, OKX_* executor creds, AGENTWORK_NPM_BIN, AGENTWORK_BASE_URL, AGENTWORK_STATE_DIR, AGENTWORK_WALLET_META). Those are not listed as required in metadata. The skill also instructs writing recovery_code and keystore files to disk and using the OS keychain fallback, which are high-value secrets. The mismatch between referenced and declared credentials reduces transparency.
Persistence & Privilege: concernThe skill will modify agent configuration (openclaw config set) and suggests creating cron jobs to run worker ticks that can perform deposits, claims, and balance sweeps. 'always' is false (good) but autonomous invocation plus cron-driven wallet ops increases blast radius if the skill or its runtime components are compromised. Also the auto-sweep behavior (automatic transfer of excess funds to owner_transfer_address) may occur without an explicit prompt depending on config, which combined with automatic worker ticks is a sensitive privilege. The skill does not request platform-level 'always' but it does request persistent local state and recurring execution.