Back to skill
Skillv1.0.0
ClawScan security
Nla Fulfill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 11, 2026, 12:28 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The instructions match the described purpose (fulfilling on-chain escrows) but the skill metadata omits important requirements (CLI and private-key handling) and encourages actions that could expose a signing key — verify before use.
- Guidance
- This skill appears to do what it claims (help submit fulfillments and collect escrowed tokens), but the published metadata omits two important facts the SKILL.md makes explicit: you need the 'nla' CLI (npm package) and a private key/wallet with ETH for gas. Before installing or invoking this skill: 1) Do not expose your main/private production key — prefer a separate account with minimal funds, a hardware wallet, or manual signing. 2) Verify the 'nla' npm package and its repository/author before installing. 3) Avoid setting PRIVATE_KEY as a global env var that the agent can access; instead prefer manual --private-key entry or wallet prompt where possible. 4) If you permit the agent to run commands autonomously, be aware it could sign and broadcast transactions if it has access to the key. If you need more assurance, ask the skill author to update the registry metadata to declare required binaries and env vars, and to provide the npm package repository link.
Review Dimensions
- Purpose & Capability
- noteThe SKILL.md describes exactly the expected actions for fulfilling an NLA escrow (checking status, submitting fulfillments, monitoring arbitration, collecting tokens). However the registry metadata does not declare the required 'nla' CLI or any environment variables even though the instructions explicitly require npm install -g nla and a private key/wallet. This mismatch is a transparency/consistency issue.
- Instruction Scope
- concernRuntime instructions tell the agent/user to submit on-chain transactions (commit-reveal flow) and to supply a private key (via PRIVATE_KEY env var, --private-key, or via 'nla wallet:set'). The SKILL.md reads/uses an environment variable and invokes a CLI — actions that can sign and broadcast transactions. The instructions do not ask the agent to read unrelated system files, but they do assume access to a sensitive secret (private key) that is not declared in the skill metadata.
- Install Mechanism
- noteThere is no install spec in the registry (instruction-only skill), but SKILL.md requires the user to install 'nla' via npm (npm install -g nla). Installing a global npm package is a normal approach for CLI tools but carries moderate risk: the package source should be verified (author, package name, registry, and repository). The skill itself will not perform the install, so the responsibility falls to the user.
- Credentials
- concernThe task legitimately requires a private key and ETH for gas, but the skill does not declare required env vars / primary credential in the metadata. Requiring a PRIVATE_KEY (or a wallet configured in the CLI) is sensitive and should be explicit. The absence of declared credentials in the registry metadata is an inconsistency that reduces transparency about what secrets the skill needs or may use.
- Persistence & Privilege
- noteThe skill is not always-enabled and does not request persistent privileged platform hooks. However, because it instructs use of a signing key and allows CLI invocation, if the agent is granted the key or the CLI is pre-authorized the agent could autonomously sign and send transactions. Autonomous invocation is the platform default; combine that with private-key access only if you trust the agent behavior.