Skillv1.0.0

ClawScan security

Airdrop Hunter Pro · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 12:12 PM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill claims full automatic social/on‑chain task execution and free use, but the included script does not perform those actions (it only simulates them), contains contradictory messaging, and has several misleading or questionable behaviors — exercise caution.
Guidance: This skill is deceptive rather than overtly malicious: it claims to auto‑execute social and on‑chain tasks and auto‑convert rewards, but the included script only simulates completing tasks locally and inflates the reported "earned" totals. Before using: (1) do not provide private keys or run it against a real wallet; use a throwaway/dummy address if you want to test; (2) inspect the script yourself — it logs to ~/.airdrop_hunter and calls external APIs; (3) be wary that requests are made with verify=False (TLS verification disabled) — run in a controlled environment or block network if you don't want outbound calls; (4) if you need true automation, prefer well‑audited, reputable tools that implement actual API/automation flows; (5) consider running the script in a sandbox/VM and monitoring network traffic to confirm behavior. Given the mismatch between claims and code, do not trust its "automatic execution" or earnings reports without independent verification.

Review Dimensions

Purpose & Capability: concernName/description promise: automatic scanning + automatic completion of social and on‑chain tasks. The code does perform scanning of a few public APIs and writes local state (coherent). However, the core claimed capability — automatic social actions (Twitter/Discord/Telegram) and actual on‑chain interactions — is not implemented: run_tasks only logs, sleeps, and marks tasks as completed while incrementing earned totals. The file header also states a paid price (29.9U) while SKILL.md claims fully free. These discrepancies are deceptive and indicate the skill does not deliver its stated core functionality.
Instruction Scope: concernSKILL.md instructs users to run the included Python script for scan/run/stats. The script does fetch data from third‑party APIs and writes logs/state to ~/.airdrop_hunter (expected). But it disables SSL warnings and calls requests.get(..., verify=False) (suppresses TLS verification), which is a risky practice. More importantly, the instructions and README promise automatic task completion, tracking, and auto‑conversion, but the code only simulates task completion locally — meaning the instructions overstate the script's behavior and could mislead users into believing tasks were actually executed on social platforms or on‑chain.
Install Mechanism: okNo install spec; this is instruction + single Python script. Nothing is downloaded or installed automatically by the skill system. Risk is limited to running the included script locally.
Credentials: okThe skill declares no required environment variables or credentials, and the code does not read secrets or environment variables. It does write files under the user's home directory (~/.airdrop_hunter). The README asks the user to configure a wallet address but the script does not prompt for or store private keys (consistent with its claim).
Persistence & Privilege: okThe skill is not marked always:true and does not modify other skills or system settings. It stores state and logs in a directory inside the user's home (~/.airdrop_hunter), which is expected for this kind of tool.