Back to skill
Skillv2.2.0
ClawScan security
Buff Round-Up Investing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 19, 2026, 2:31 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's behavior largely matches a round-up investing tool, but there are inconsistencies between the published metadata and the runtime instructions (required API key and wallet), and the skill asks workflows that require signing transactions — verify before installing.
- Guidance
- Do not install blindly. Confirm with the publisher why the registry metadata omitted required environment variables (BUFF_API_KEY, BUFF_WALLET_PUBKEY) even though SKILL.md and package.json require them. Treat BUFF_API_KEY as a sensitive, rotatable scoped key; never supply your Solana private key to the service — only submit signatures produced locally by a secure wallet or hardware signer. Before signing any transaction from the API, follow the SKILL.md verification steps (check program IDs, destination addresses, amounts, and that swaps are only Jupiter instructions). Test with small amounts and a throwaway wallet first. If you need higher assurance, ask for a link to an official homepage or repository with audited code and confirm TLS/certificate ownership of buff.finance and the GitHub repository listed in package.json.
Review Dimensions
- Purpose & Capability
- concernThe SKILL.md and package.json clearly require a BUFF_API_KEY and a Buff wallet public key and describe workflows to build and execute signed swap transactions via the Buff API and Jupiter — which is consistent with the stated round-up/investing purpose. However, the registry metadata in the provided package listing claims no required environment variables or credentials; that is inconsistent with the runtime instructions and package.json. This mismatch reduces trust and should be clarified by the publisher.
- Instruction Scope
- noteInstructions are confined to calling buff.finance endpoints, calculating round-ups, building swap transactions, and verifying server-built instructions before signing. These actions are in-scope for an investing SDK. Important: several flows require signing with your Solana keypair (to generate API keys and to sign transactions). The SKILL.md does not instruct sending secret private keys to the service (only signatures), but the agent or developer will need access to signing capability — ensure signing happens locally or via a secure wallet and not by exposing private keys as environment variables or to the remote API.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files beyond SKILL.md and package.json. No downloads or archive extraction are specified, which minimizes install-time risk.
- Credentials
- concernThe SKILL.md declares BUFF_API_KEY (sensitive) and BUFF_WALLET_PUBKEY as required; package.json lists BUFF_API_KEY and BUFF_WALLET_PUBKEY as requiredEnvVars. Yet the registry metadata earlier stated 'Required env vars: none'. That discrepancy is significant. Requiring a scoped API key for a remote investment service is reasonable for the stated purpose, but the omission in the published metadata is an incoherence that should be resolved before trusting the skill.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; autonomous invocation is allowed (normal default). The skill does not request permanent presence or system-wide configuration changes in the provided materials.