Skillv1.0.0

ClawScan security

Lukso Expert · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 19, 2026, 3:14 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only knowledge base about LUKSO (contracts, standards, examples) and its requested/installed footprint matches that purpose — no credentials, binaries, or install steps are required by the skill itself.
Guidance: This skill is a static LUKSO reference (docs, addresses, code examples) and appears coherent with its stated purpose. Before using it: (1) treat contract addresses/endpoints as documentation and cross-check them on official sources or block explorers; (2) never paste or store private keys or secrets into examples without understanding the code — process.env.PRIVATE_KEY appears only in sample scripts; (3) avoid running unreviewed curl | sh installers referenced in docs unless you trust the installer URL and have reviewed its contents; (4) if you plan to run sample deployment scripts, do so from a secure environment (hardware wallet / ephemeral keys for testing, not your main keys). If you want stronger assurance, ask the skill author for provenance (who maintains this content) or prefer linking to the official LUKSO docs/github rather than running examples verbatim.

Review Dimensions

Purpose & Capability: okThe name/description promise (LUKSO expert reference) matches the contents: extensive LSP references, contract addresses, code snippets, RPC/Indexer endpoints and developer patterns. Nothing requested by the skill (no env vars, no binaries, no installs) is inconsistent with being a static knowledge base.
Instruction Scope: noteSKILL.md and the reference files are documentation and code examples for building on LUKSO. They do not instruct the agent to read local files or exfiltrate data. Notable items to be aware of: examples show use of process.env.PRIVATE_KEY and other provider API keys (typical for developer examples), and the ecosystem file documents a recommended install command 'curl https://install.lukso.network | sh'. These are examples for developers — they do not change the skill’s runtime behavior, but could encourage unsafe operations if followed blindly.
Install Mechanism: okNo install specification or code files that would be written/executed at install time. Because this is instruction-only, there is no download/execute risk from the skill package itself.
Credentials: noteThe skill declares no required environment variables or secrets. The documentation includes developer patterns that reference PRIVATE_KEY, provider API keys (SigmaCore/NowNodes), and relayer API keys where appropriate — which is expected for blockchain developer docs. Users should not supply secrets to the skill unless they intend to run the example code themselves in a safe environment.
Persistence & Privilege: okSkill does not request always:true, does not attempt to modify agent config, and has no install steps that would persist code or credentials. Autonomous invocation is allowed by default but not combined with other red flags here.