Skillv1.0.0

ClawScan security

Make Git Escrow · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 12:28 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and instructions mostly match its stated purpose (creating an on-chain escrow), but it asks for a high-privilege PRIVATE_KEY and gives insecure guidance (e.g., passing the private key on the command line), which raises practical safety concerns.
Guidance: This skill appears to do what it claims (create an on-chain git escrow), but it requires your PRIVATE_KEY — a highly sensitive credential. Before installing or running it: 1) Do NOT paste your main/private keys directly on command lines (they go into shell history and process listings). Prefer environment variables set securely, locked keystores, or a hardware wallet / signer that the CLI can use without exposing raw private keys. 2) Use an account with only the funds needed for the escrow (ephemeral or testnet account) rather than your main wallet. 3) Inspect the git-escrows npm package source (or the project's GitHub) to verify behavior before running it. 4) Keep the .env file access-restricted and delete or rotate any private key stored there after use. 5) If you allow autonomous agent invocation, require explicit, per-transaction confirmations so the agent cannot sign and submit transactions without your approval. If you cannot follow these precautions, avoid supplying a private key to this skill.

Review Dimensions

Purpose & Capability: okThe skill's name/description (create a git escrow bounty) aligns with its declared needs: the git-escrows CLI, git, a .env containing a PRIVATE_KEY, and network access to an Ethereum RPC. Requiring a signing key is consistent with submitting a transaction to lock tokens in escrow.
Instruction Scope: concernInstructions stay within the stated task (checking CLI, reading .env for PRIVATE_KEY and NETWORK, gathering git repo/commit, running git-escrows submit). However, the SKILL.md explicitly suggests providing a raw private key on the CLI (git-escrows new-client --privateKey "0x..."), which is insecure (exposes secrets to shell history, process lists, and logs). The skill also directs reading .env in the working directory; that file may contain other secrets but the instructions only reference PRIVATE_KEY and NETWORK. No instructions appear to exfiltrate data to unrelated endpoints, but the private-key handling guidance is risky.
Install Mechanism: okThis is an instruction-only skill with no install spec or bundled code — the lowest install risk. The only install hint is recommending the public npm package git-escrows (npm i -g git-escrows), which is reasonable. There are no downloaded archives or third-party install URLs in the skill itself.
Credentials: noteRequesting a PRIVATE_KEY is proportionate to submitting on-chain escrows, but PRIVATE_KEY is extremely high-privilege (it can sign transactions and move tokens). The skill also expects a .env file. The small set of requested credentials is coherent, but users must understand that supplying this key grants the tool/agent the ability to spend funds from that account. The skill's advice to pass the key on the command line increases exposure risk.
Persistence & Privilege: noteThe skill is not always-enabled and is user-invocable (normal). However, because it requires the PRIVATE_KEY, allowing autonomous invocation (the platform default) would increase the blast radius: an agent with this skill and access to the key could autonomously submit transactions. The skill itself does not request persistent modification of other skills or system-wide settings.