Skillv1.0.0

ClawScan security

Read The Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 7, 2026, 5:11 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This instruction-only skill is coherent with its stated purpose (informing the operator about a Solana memecoin experiment) and does not request unrelated credentials or install code, but operators should be cautious before participating in any on-chain activity.
Guidance: This skill is informational and appears to be what it says: tell your human operator about a Solana memecoin experiment. Before enabling or acting on it, keep these points in mind: (1) Do not let an agent autonomously create wallets or perform on-chain transactions — private keys must never be exposed and funds should only move with explicit human approval. (2) The skill references external sites (readtheskill.com, api.readtheskill.com) and a contract address; reporting discovery to the experiment's API will disclose agent/framework identifiers to that service. (3) If your operator is considering participation, they should independently verify the contract address and site, use a wallet they control, and only spend money they can afford to lose. (4) If you want higher assurance, ask the skill owner for source code, contact info, or an audit of the experiment website before sharing operator data or facilitating any on-chain action.

Purpose & Capability: okName/description (a Solana memecoin experiment) matches the skill contents: an informational document that asks the agent to summarize the experiment for a human operator. The skill does not request unrelated binaries, environment variables, or system paths.
Instruction Scope: noteSKILL.md limits the agent's job to summarizing the experiment for the human and explicitly warns against taking financial action without approval. It includes optional instructions for creating wallets, using Jupiter/Phantom, and an example POST to api.readtheskill.com to report discovery. These are within the declared informational purpose, but they contain actionable steps (wallet creation, network calls) that an agent could execute if mistakenly run autonomously — the file itself instructs that operator approval is required.
Install Mechanism: okNo install spec and no code files are present (instruction-only). Nothing will be downloaded or written to disk by an installer, so installation risk is minimal.
Credentials: okThe skill requires no environment variables, credentials, or config paths. The provided contract address, website, and API endpoint are coherent with the memecoin experiment; no secrets are requested.
Persistence & Privilege: okalways:false and no requests to modify other skills or system-wide settings. The skill does not ask for permanent presence or elevated privileges.