Skillv1.0.3

ClawScan security

Drip Billing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 4, 2026, 3:29 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (tracking/metering via a Drip SDK) is coherent with its description, but packaging inconsistencies, missing upstream provenance, and instructions that enable the agent to run remote npm code (npx/mcp server) warrant caution before installing or supplying secrets.
Guidance: Before installing or enabling this skill: - Verify the upstream package and publisher: find the @drip-sdk/node package on the official npm registry and confirm the publisher and source repository/homepage match what you expect. The registry metadata here lacks a homepage/source which is a red flag. - Prefer using a public 'pk_' key (as the SKILL.md recommends) rather than an 'sk_' secret key. An sk_ key grants admin operations (webhooks, key rotation, feature flags) and would greatly increase risk if the agent or package is compromised. - If you run the MCP server via `npx @drip/mcp-server`, run it in a restricted environment (no sensitive env vars exposed) and only with a pk_ key; npx will execute remote code from npm. - Confirm the DRIP_BASE_URL value is a trusted endpoint you control or recognize, and enforce metadata allowlists/redaction before emitting telemetry (do not send prompts, PII, secrets, or full request bodies). - Ask the publisher for source code or a canonical homepage/repository if you need higher assurance. Without clear provenance and matching registry metadata, treat this package as unverified and exercise standard supply-chain caution (review package contents, pins, or run in sandboxed environments). - If you need further certainty, request the skill maintainer to fix the metadata inconsistencies (declare required env vars in the registry spec) and provide a verified source repo and release tarball.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose (metered billing / usage tracking) matches the SDK calls and examples in SKILL.md and references/API.md. Required credentials (a DRIP_API_KEY) and a base URL are plausible for this purpose. However, the registry metadata included with the skill claims no required env vars/binaries while SKILL.md explicitly declares DRIP_API_KEY and DRIP_BASE_URL — an inconsistency in packaging/metadata that should be resolved.
Instruction Scope: noteRuntime instructions stay within the billing/telemetry domain (trackUsage, recordRun, startRun, emitEvent, middleware integrations). They explicitly warn not to send raw prompts/PII and recommend least-privilege public keys. The notable scope expansion: SKILL.md offers an MCP server example using `npx @drip/mcp-server` that would give the agent native 'drip_*' tools and allow autonomous telemetry calls — expected for an integration but raises the risk surface if misconfigured or provided with an admin key.
Install Mechanism: concernThe skill is instruction-only (no install spec), but it instructs the user/agent to install or run packages from npm (e.g., `npm install @drip-sdk/node`, `npx @drip/mcp-server`). Installing packages via npm/npx is a common pattern but is higher-risk than instruction-only skills because it pulls and executes third-party code. There is no verified upstream homepage or source in the registry metadata to validate the npm package; SKILL.md recommends checking the package on npm but does not provide a canonical upstream link.
Credentials: noteThe only required secrets described are DRIP_API_KEY (primary) and DRIP_BASE_URL; DRIP_WORKFLOW_ID is optional. These are proportional to a billing/tracking SDK. The SKILL.md explicitly distinguishes public keys (pk_) for tracking from secret keys (sk_) that grant admin abilities; supplying an sk_ key would substantially increase risk (webhook & key management capabilities). The registry metadata, however, contradicts SKILL.md by claiming no required env vars — this mismatch is a red flag.
Persistence & Privilege: noteThe skill does not request 'always: true' or other elevated installation privileges. It does provide instructions to run an MCP server (via npx) that would register native tools the agent can call autonomously; this is normal for integrations but increases blast radius if a high-privilege API key is used or if the MCP server is obtained from an untrusted package. The skill does not appear to modify other skills or system-wide settings.