Skillv1.0.0

ClawScan security

Ntriq X402 Phish Radar Batch · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 17, 2026, 12:00 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (posting up to 500 user-supplied URLs to a third-party endpoint that expects a payment header) is coherent with its stated purpose but has small inconsistencies and privacy/payment risks that are not explained in the metadata.
Guidance: This skill will send up to 500 URLs/domains to a third-party endpoint and requires a payment header (X-PAYMENT) even though no credential is declared. Before installing: 1) Verify the provider (x402.ntriq.co.kr) and review privacy/terms — you may be sending sensitive URLs. 2) Do not store your payment/auth header in an unrestricted agent config; prefer providing it interactively per-call. 3) Test with non-sensitive sample URLs first to confirm behavior. 4) Confirm billing flow and refund policy (flat $9 USDC) and how the X-PAYMENT header is obtained/rotated. 5) If you need stronger privacy, prefer a local scanner or a provider that documents authentication and data retention. If you want me to, I can draft safer prompts for requesting the payment header from users or propose a workflow that avoids sending sensitive URLs.

Review Dimensions

Purpose & Capability: okName and description match the runtime instructions: the skill calls an external phish-scanning API to analyze batches of URLs. No unrelated binaries, installs, or credentials are declared, which aligns with a lightweight instruction-only integration.
Instruction Scope: concernThe SKILL.md instructs the agent to POST up to 500 (potentially sensitive) URLs to https://x402.ntriq.co.kr/phish-radar-batch with an X-PAYMENT header. Sending large batches of user URLs/domains to an external third party is a privacy/data-exfiltration risk and should be explicit to users. The doc also mentions "Local AI inference on Mac Mini" but provides no instructions for local inference—this is ambiguous and possibly misleading.
Install Mechanism: okInstruction-only skill with no install spec and no code files. No files are written to disk and nothing is auto-downloaded, which is the lowest-risk install model.
Credentials: concernNo required env vars or primary credential are declared, yet the API requires an X-PAYMENT header for a paid call. The skill fails to declare where the payment header should come from (env var, user prompt, or stored credential). That mismatch increases the chance a user or agent will supply secrets insecurely or the agent will attempt to send sensitive payment/auth data without clear guidance.
Persistence & Privilege: okalways is false and the skill does not request any persistent system-wide privileges or modify other skills. Autonomous invocation is allowed by default (disable-model-invocation=false) — this is normal but relevant to payment/privacy risks since an autonomous agent could make paid calls if given credentials.