0xscada
WarnAudited by ClawScan on May 18, 2026.
Overview
Review recommended: this skill starts an external 0xSCADA server and can involve blockchain signing keys and Flux/Web3 integrations without clearly bounding the remote data flow or shutdown controls.
Install only if you trust and have reviewed the underlying 0xSCADA repository. Set SCADA_DIR explicitly, use disposable or least-privilege blockchain keys and tokens, confirm what data is sent to Web3/Flux services, and make sure you know how to stop the background server.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may cause your agent to run code from a local 0xSCADA repository that was not part of this review.
The reviewed skill is only a wrapper; it executes an npm script from an external, configurable repository path rather than from fully provided and pinned code.
SCADA_DIR="${SCADA_DIR:-$(cd "$SKILL_DIR/../../.." && pwd)}" ... cd "$SCADA_DIR" ... npm run dev &Set SCADA_DIR explicitly to a repository you trust, review that repository and its package scripts, and avoid providing sensitive credentials until you understand the code being run.
A misconfigured or compromised underlying server could use the provided private key for unintended or costly blockchain actions.
A blockchain private key can authorize transactions, but the artifacts do not define key scope, confirmation requirements, spending limits, or exactly what will be signed.
`WEB3_RPC_URL` & `PRIVATE_KEY`: Enable blockchain audit anchoring
Use a dedicated low-privilege key with minimal funds and permissions, and confirm the underlying server's signing behavior before enabling PRIVATE_KEY.
Industrial telemetry, audit state, or memory-integration data could be sent to remote services in ways that are not clearly disclosed by the destination metadata.
The metadata declares remote endpoint and token variables while also declaring no optional remote data destinations, leaving the Web3 and Flux data boundaries unclear.
"optional": { "env": ["SCADA_PORT", "DATABASE_URL", "SCADA_DIR", "WEB3_RPC_URL", "PRIVATE_KEY", "FLUX_URL", "FLUX_AUTH_TOKEN"] } ... "optionalRemote": []Clarify what data is sent to WEB3_RPC_URL and FLUX_URL, update destination declarations, and avoid using production telemetry or tokens until those flows are understood.
The local 0xSCADA service may continue running after the agent task ends, potentially retaining access to configured databases, tokens, or blockchain keys.
The start command backgrounds the server, but the provided command set documents only start and status, not a stop or cleanup path.
npm run dev & ... echo "Commands:" ... " start Start the 0xSCADA server" ... " status Show running status"
Add and document a stop command or PID management, and verify how to shut down the server before using the skill with sensitive environments.