Skillv1.0.0

ClawScan security

Accounts Payable Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 31, 2026, 10:57 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (autonomous accounts-payable using AgenticBTC) is plausible, but the runtime instructions ask the user to install an npm MCP bridge and store an API key in agent config while the skill metadata declares no required credentials — a mismatch that increases risk for a high-impact capability (automated payments).
Guidance: This skill will let an AI agent send real payments via AgenticBTC and instructs you to install an npm MCP bridge and place AGENTICBTC_API_KEY in your claude_desktop_config.json, but the registry metadata doesn't declare that key — treat that as a mismatch. Before installing: (1) verify the legitimacy of 'agenticbtc-mcp' on npm and audit its code and publisher; (2) confirm AgenticBTC's real domain and SLA (the SKILL.md links to agenticbtc.io); (3) do not store long-lived keys in broadly-accessible agent config files without access controls; prefer scoped, revocable credentials and a dedicated payment service account with minimal permissions; (4) require manual approval/human-in-the-loop for payments above a safe threshold and log all actions to an immutable audit store; (5) test in a sandbox/legal compliance environment and rotate keys if you decide to proceed. The current mismatch between declared metadata and runtime instructions is the main reason this is marked suspicious — resolving that (explicit env declaration, documented permissions, third-party audit of the npm package) would raise confidence.

Review Dimensions

Purpose & Capability: noteThe skill claims to be an autonomous accounts-payable/payments agent integrated via MCP/AgenticBTC. Requiring an MCP bridge (agenticbtc-mcp) and an API key is coherent with that purpose. However, the registry metadata declares no required environment variables or primary credential while the SKILL.md explicitly instructs setting AGENTICBTC_API_KEY — this inconsistency is a red flag.
Instruction Scope: concernSKILL.md tells the agent to install and call agenticbtc APIs (checkPaymentByReference, sendPayment, getPaymentHistory) and to place an API key into claude_desktop_config.json. It also references helper functions (lookupVendor, getScheduledPayments, logPayment, notifyRequester) without describing required storage/data access. The instructions direct storing a sensitive key into an agent config file and assume access to vendor registries and scheduled payment sources; that broad, under-specified access increases risk and scope creep.
Install Mechanism: noteThe skill is instruction-only but instructs npm install of 'agenticbtc-mcp' and running it via npx. npm is a common registry (moderate risk). There is no direct download URL or extract operation, which is better than arbitrary binary downloads, but the actual npm package should be audited before trusting it for payment operations.
Credentials: concernThe runtime instructions require AGENTICBTC_API_KEY (and implicitly access to payment rails and vendor data), but the skill metadata lists no required env vars or primary credential. A payment agent legitimately needs an API key — the omission in the metadata is an incoherence that prevents users from seeing the skill's true credential needs ahead of install.
Persistence & Privilege: notealways:false (not forced into every agent) and model invocation is allowed (default). Autonomous invocation plus the ability to execute real payments is high-impact; while autonomy alone is not flagged, the combination with networked payment capabilities and missing explicit credential declarations warrants caution (prefer explicit human-approval gating for high-value payments).