Skillv0.1.4

ClawScan security

SafeLink · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 5, 2026, 5:22 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and runtime instructions broadly match its stated A2A escrow/wallet purpose, but registry metadata/manifest inconsistencies and the breadth of required secrets (wallet/LLM/deployer keys) are not declared up-front and warrant caution before installing or running.
Guidance: Key points before installing or running SafeLink: - Metadata mismatch: the registry metadata claims 'no required env vars / instruction-only' but the included SKILL.md and code expect many sensitive environment variables (LLM keys, Coinbase/Privy credentials, DEPLOYER_PRIVATE_KEY, optional shared secrets). Treat that inconsistency as a red flag and ask the publisher to clarify. - Secrets handling: the interactive setup writes a .env and tests credentials by making network requests. Always use throwaway testnet keys (and not mainnet production keys) when first testing. If you must deploy to mainnet, follow the SKILL.md guidance to use a throwaway DEPLOYER_PRIVATE_KEY for contract deployment and then discard it. - Review endpoints: the default facilitator URL and other endpoints are external (e.g., https://x402.org/facilitator, Anthropic, Privy). Confirm you trust those services before providing API keys. The code performs some validation (chainId/token checks) but will still transmit auth tokens as part of validation/payment flows. - Network exposure: safe_listen_for_hire starts an HTTP server bound to a port (default 127.0.0.1). Verify it is bound to loopback in your environment and that you do not accidentally expose it to the public internet or an unrestricted reverse proxy. - Audit the code paths you care about: if you only plan to use escrow/x402 flows, inspect src/payments/*, src/security/* and wallet providers to ensure they meet your security requirements. Pay special attention to deploy scripts (scripts/deploy-contracts.ts) which execute forge and require a funded private key. - Verify publisher and provenance: SKILL.md points to a GitHub repo (https://github.com/charliebot8888/SafeLink) but registry 'Source' was unknown and homepage missing in the registry metadata. Confirm the repository origin, review commit history, and prefer installing from an audited/official source. - Run in a sandbox first: install and run in an isolated environment (container or VM) with network egress controls and testnet/throwaway secrets. Ask the author to correct registry metadata before granting production credentials. If you want, I can: 1) list the exact env vars the code expects, 2) point out every place keys are transmitted in the code, or 3) produce minimal run instructions for a safe local test using throwaway/testnet credentials.
Findings: [ignore-previous-instructions] expected: SKILL.md and README explicitly state tests contain adversarial strings (e.g. 'Ignore all previous instructions') used as fixtures for the input-gate. The presence of the pattern in test fixtures is expected and documented; still surface this to reviewers because prompt-injection strings appear in the repo content.

Review Dimensions

Purpose & Capability: noteThe name/description (A2A hiring, escrow, x402, ERC-8004, MPC wallets) align with the provided source files (escrow, x402, input-gate, MPC wallet integration, approvals, deploy scripts). HOWEVER the registry summary at the top of the submission states 'Required env vars: none' and 'No install spec / instruction-only' while the SKILL.md and package.json/code clearly expect many environment variables and include full source code. This metadata mismatch is unexpected and should be clarified.
Instruction Scope: noteSKILL.md and scripts instruct the operator to run an interactive setup that collects LLM keys, Coinbase/Privy credentials, and a DEPLOYER_PRIVATE_KEY (one-time) and writes them to a local .env. The setup tests keys by making remote calls (Anthropic, Privy, RPC, facilitator). These behaviours are coherent with the stated purpose (credential checking, onboarding), but they do transmit tester requests to third-party endpoints as part of validation — review that you trust the endpoints and prefer testing with throwaway/testnet credentials.
Install Mechanism: okNo install spec in registry (instruction-only) and package.json uses normal npm dependencies from known packages. There are no suspicious external download URLs in the provided files; deploy script invokes Foundry (forge) via child_process, which is expected for contract deployment. Overall the install footprint is standard for a Node/Foundry project.
Credentials: concernThe skill requires multiple high-sensitivity variables (ANTHROPIC_API_KEY or LLM_API_KEY, COINBASE_CDP_API_KEY_PRIVATE_KEY or PRIVY_APP_SECRET, DEPLOYER_PRIVATE_KEY for contract deployment, optional TASK_AUTH_SHARED_SECRET, REDIS_URL, etc.). These are reasonable for a payment/escrow/MPC tool, but the registry metadata failed to declare them. The one-time DEPLOYER_PRIVATE_KEY usage is documented, but storing keys in .env and the setup testing behavior increases risk if users supply production/mainnet credentials. Verify use of throwaway keys for deployment and prefer Privy/Coinbase MPC options if you want reduced local key exposure.
Persistence & Privilege: noteThe skill does not set always:true. It can start an HTTP server (safe_listen_for_hire) bound to TASK_SERVER_PORT (default 127.0.0.1:3402) when asked, and writes .env via setup scripts. These are expected capabilities for an MCP server but mean the skill can open network listeners and store local credentials/config — run in isolated environments and confirm binding to loopback before exposing externally.