Skillv0.2.0

ClawScan security

a2a-Market-UCP-Broadcast · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 19, 2026, 6:49 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's described purpose and protocols are coherent, but the runtime claims and signing requirements are not represented in the package (no code, no declared key/env requirements), which is inconsistent and worth caution.
Guidance: Proceed cautiously. The SKILL.md describes message signing and references a local runtime implementation and tests, but this package contains no code or declared secrets/env vars for private keys. Before installing: (1) ask the publisher to provide the referenced runtime code or a clear install spec; (2) require an explicit, minimal method for providing signing keys (for example, a single declared env var or secret-store path) and documentation for key management; (3) verify the provenance of any external runtime package and review its tests; (4) avoid supplying private keys to the agent directly — prefer a secret store or scoped key with limited privileges; and (5) if you still want to try it, run the implementation and tests in an isolated environment and inspect network behavior to ensure broadcasts go only to intended endpoints. These inconsistencies (missing code and undeclared key handling) are the main reason this is flagged as suspicious.

Review Dimensions

Purpose & Capability: noteName, description, and SKILL.md goals (intent payloads, signing, broadcast, ack collection) are consistent with a UCP broadcast helper. However the SKILL.md asserts a local 'runtime' implementation and test paths (runtime/src/..., npm test) while this published bundle contains no code or install spec — suggesting either missing artifacts or that the skill depends on out-of-band code.
Instruction Scope: concernThe instructions specify signing (sign_intent(intent, private_key)) and runtime behavior but do not describe how private keys are stored/obtained, nor do they constrain where the agent should look for code or run tests. That leaves scope for the agent or integrator to locate sensitive keys or external code at runtime without guidance.
Install Mechanism: okThis is an instruction-only skill with no install spec and no binaries to download or extract — low installation risk. The lack of an install step is coherent with the absence of code, but exacerbates the issue that expected runtime artifacts are missing.
Credentials: concernNo environment variables, credentials, or config paths are declared, yet core functionality requires signing with a private_key. The skill should declare how signing keys are provided (env var, secret store, config path). The omission is disproportionate and could lead to ad-hoc handling of sensitive keys.
Persistence & Privilege: okThe skill is not marked always:true and has no install-time persistence; it cannot force inclusion on every agent run. There is no evidence it modifies other skills or system-wide settings.