Back to skill
Skillv1.0.0
ClawScan security
Kaspa Wallet · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:02 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's files, environment variables, and runtime instructions are consistent with a command-line Kaspa wallet; nothing in the package is obviously trying to do unrelated or covert work, though the installer pulls a third‑party PyPI dependency (kaspa) which is a normal but non‑zero supply‑chain risk.
- Guidance
- This package appears to be a legitimate CLI wallet implementation and its requirements (private key or mnemonic via env, optional RPC URL) match its stated purpose. Things to consider before installing: - Review the kaspa package on PyPI (the installer uses pip to fetch it); verify the package's publisher and versions to reduce supply‑chain risk. - Inspect the included scripts (you already have them) and, if possible, run installation in an isolated environment (container or VM) before using real keys. - Prefer ephemeral environment variables (don't store secrets in shell startup files). If you plan to hold significant funds, use a hardware wallet or audited software. - Confirm the upstream source/repository (install.py references a GitHub URL) — lack of a clear homepage/origin reduces provenance; verify the repo and maintainer before trusting the binary/library versions installed by pip. Overall the skill is coherent with its purpose, but standard third‑party dependency and secret‑handling precautions apply.
Review Dimensions
- Purpose & Capability
- okName/description (Kaspa wallet) match the code and instructions: CLI wrapper, wallet creation, balance checks, sends, and RPC use. Required env vars (private key or mnemonic, optional RPC URL/network) are appropriate for a wallet.
- Instruction Scope
- okSKILL.md and examples restrict operations to wallet-related actions (balance, send, info, fees, generate-mnemonic). The instructions ask the agent to run the included scripts and to set wallet credentials via environment variables; they do not instruct reading arbitrary files or unrelated system state.
- Install Mechanism
- noteNo exotic installer; install.py creates a venv and runs pip to install the single requirement 'kaspa' from PyPI. This is expected for a Python SDK but does introduce standard PyPI/supply‑chain risk (the kaspa package from PyPI should be reviewed/verified if you care about provenance). No downloads from shorteners, personal servers, or unknown archives in the manifest.
- Credentials
- okRequested environment variables (KASPA_PRIVATE_KEY or KASPA_MNEMONIC, optional NETWORK/RPC/timeout/KASPA_PYTHON) are directly tied to wallet operation. The skill does not declare unrelated secrets or request system credentials or config paths.
- Persistence & Privilege
- okSkill is not always-enabled and does not modify other skills or system-wide config. Installer creates a local .venv and pip cache under the project directory — expected for a local CLI tool. No evidence of the skill persisting credentials to disk (SKILL.md and code assert keys come from env).