Skillv1.0.6

ClawScan security

moonfun_sdk · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 21, 2026, 9:51 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The SDK largely implements what it promises (BSC token creation/trading), but there are inconsistencies and risky choices — notably a missing declared PRIVATE_KEY requirement in the registry, an auth API that exposes a private_key accessor, and a default image API served over plain HTTP — any of which could lead to accidental key exposure or replayable signatures if used as-is.
Guidance: This package implements its stated features, but review and caution are required before using with real funds or your primary wallet. Actionable steps: - Do not use your main wallet; create a dedicated disposable wallet with a small BNB balance for testing. - Expect to set PRIVATE_KEY (environment variable or parameter) — the registry metadata omitted this; confirm required envs before installing. - Replace the default image API URL (http://moonfun.site) with an HTTPS endpoint or self-host the image API to avoid sending signatures and addresses over plaintext HTTP. If you must use the default, inspect network traffic (mitmproxy) and be aware signatures could be observed/replayed within their time window. - Note auth.py exposes a .private_key property. If you or other code call that, the raw key becomes accessible in-process — avoid calling it and consider modifying the SDK to remove that accessor before use. - Audit the code paths that transmit data (image_api.py, platform.py) to confirm only signatures and addresses are sent and that timestamps/replay-windows match your threat model. - Prefer installing from reviewed source (pip install -e .) after inspecting the files, and run dependency scanners (safety, bandit). Start with minimal BNB and small test transactions. If you want, I can point out the exact lines that implement the .private_key accessor and the default HTTP endpoint and suggest minimal code changes (e.g., remove the accessor, require HTTPS) to reduce risk.

Review Dimensions

Purpose & Capability: noteSource files (auth, blockchain, image_api, platform, trading) align with the stated purpose of creating/trading BSC meme tokens with AI images. However the runtime metadata/registry says no required env vars or credentials while SKILL.md and code clearly require a PRIVATE_KEY (and optionally MOONFUN_IMAGE_API_URL). That mismatch is an integrity issue the reviewer should resolve.
Instruction Scope: concernSKILL.md instructs the agent/user to provide a PRIVATE_KEY and to send cryptographic signatures/address/timestamps to hosted services. The default image API endpoint is http://moonfun.site (plain HTTP) in multiple documents — sending signatures and addresses over unencrypted HTTP risks interception/replay during the allowed time window. The SDK claims private keys are never transmitted, and code signs messages locally, but signatures themselves (and timestamps/prompts) are transmitted and could be abused if intercepted within the replay window.
Install Mechanism: okThere is no high-risk install mechanism in the package metadata (no arbitrary remote downloads). The repository includes setup.py and standard requirements; dependencies are mainstream (web3, eth-account, requests/httpx). Minor inconsistency: the skill metadata indicated ‘instruction-only’ yet a full Python package is included — not a security risk but an administrative mismatch.
Credentials: concernRequesting a PRIVATE_KEY is proportionate to signing transactions, but the registry metadata omitted it. Additionally auth.py exposes a .private_key property that returns the raw key string — this API increases the chance the key could be accidentally read and transmitted by calling code. The default image API is HTTP (unencrypted), increasing risk even though private keys themselves are not sent.
Persistence & Privilege: okThe skill does not request always:true or any elevated system persistence. It does not declare writing to other skills' config or system-wide settings. No unusual privilege escalation was found in the included files.