Skillv1.1.0

ClawScan security

A.I. Cheese · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 5, 2026, 4:40 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's claimed purpose (paying humans for messages) matches the code, but there are coherence and safety gaps — most notably an undeclared required private key, remote-controlled payment recipients, and the potential for autonomous fund transfers.
Guidance: This skill does what it says (pay humans for replies) but requires you to provide a wallet private key and it will transfer USDC to addresses the remote API returns. Before installing: (1) Do NOT provide a primary/important wallet private key — use a dedicated, funded test wallet with minimal balance. (2) Confirm the AICHEESE_SERVER URL is legitimate (https://aicheese.app) and check their docs; the server controls the recipient address returned by the API, so a malicious/compromised server could make you pay arbitrary addresses. (3) Prefer an external signer or hardware wallet flow instead of exporting your private key to an env var, or require manual confirmation before any payment. (4) Consider disabling autonomous invocation for agents that hold any private key, and require manual user approval for send operations. (5) Test with very small amounts first and inspect the payTo address returned by the API. (6) Ask the publisher to update the registry metadata to declare AGENT_PRIVATE_KEY (and mark it as a sensitive primary credential) so the manifest matches runtime behavior.

Review Dimensions

Purpose & Capability: concernThe name/description match the code: it searches a directory, requests payment requirements, and sends USDC on Base. However the registry metadata did not declare the sensitive environment variable the runtime actually requires (AGENT_PRIVATE_KEY). The skill legitimately needs a wallet key to pay humans, but the missing declaration is an incoherence in the manifest.
Instruction Scope: concernSKILL.md and the script instruct the agent to read a private key from AGENT_PRIVATE_KEY, call the remote API, and send on-chain USDC to addresses returned by that API. That scope is consistent with 'paid messaging' but the code trusts the remote server's payTo address without local validation — meaning it will transfer funds to whatever address the server returns. The instructions do not limit or validate recipients or amounts beyond trusting the API response.
Install Mechanism: noteThere is no install spec (instruction-only), which minimizes installer risk. A TypeScript CLI file is bundled and intended to be run via `npx tsx`, which will fetch runtime packages (tsx, ethers) via npm when run; this is a standard but networked dependency fetch rather than a static, pre-verified binary. No downloads from arbitrary URLs or extract operations are present.
Credentials: concernThe runtime requires a wallet private key (AGENT_PRIVATE_KEY) to sign and send USDC transactions — this is proportionate to paying people. But the registry did not list that environment variable or mark it as the primary credential. Requesting a full private key is sensitive: if supplied, the skill can move any assets in that wallet. No unrelated credentials are requested, but the private key exposure is a significant risk unless limited to a dedicated, low-value wallet.
Persistence & Privilege: concernThe skill does not request always:true or system-wide changes, and it doesn't persist itself. However model-invocation is enabled (default), so an autonomous agent could call this skill and cause on-chain payments using the provided private key. Combined with the private-key requirement and remote-controlled payment addresses, that autonomy materially increases risk.