Skillv2.0.0

ClawScan security

pocket-money · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 24, 2026, 2:32 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (creating and managing Base/USDC wallets) matches the instructions, but installing a third‑party npm package that will handle private keys stored unencrypted on disk — combined with autonomous agent invocation — raises real risk of key exfiltration or unintended spending.
Guidance: This skill is coherent with its stated aim (creating local Base/USDC wallets), but it has security-sensitive components you should review before installing: 1) Inspect the @auteng/pocket-money package source on GitHub and the npm package contents (including dependencies and postinstall scripts). 2) Do not fund these wallets with more than a small, reviewed amount — treat them as petty cash. 3) Consider requiring encrypted keystores or a hardware signing flow rather than unencrypted JSON files on disk; if you must use these files, keep strict filesystem permissions and backups off the machine. 4) Confirm the RPC endpoints (mainnet.base.org) and whether gas in ETH is actually required — the SKILL.md claim that "no ETH needed for gas" may be inaccurate on Base unless a gas-sponsorship mechanism is used. 5) If possible, run the npm package in a sandboxed environment or audit it first; pin to a specific package version and vendor. 6) Be aware that the agent can be invoked autonomously; if you want to prevent accidental spending, restrict autonomous invocation for this skill or ensure that human approval can be enforced by policy. If you cannot audit the package and accept these risks, proceed cautiously; otherwise, treat this skill as potentially dangerous.

Review Dimensions

Purpose & Capability: okName and description align with the requested artifacts: node/npm are required for the @auteng/pocket-money package, and the skill expects a local config directory .auteng/wallets/ where wallets are stored. No unrelated credentials or bizarre binaries are requested.
Instruction Scope: concernThe SKILL.md instructs creating, loading, and storing private keys as unencrypted JSON at .auteng/wallets/<name>.json (0600). It also instructs the agent to poll the Base RPC and to wait for funding. The document relies on the human for explicit approval before spending, but that is procedural (not enforced technically). There is no instruction-level protection preventing an agent or installed code from programmatically signing and sending transactions without human confirmation.
Install Mechanism: concernInstall is via an npm package (@auteng/pocket-money). Installing an npm package grants arbitrary code execution on the host at install/runtime; this is expected for a Node-based skill but is a meaningful risk because the package will have access to wallet files and could exfiltrate keys. The package source is referenced in SKILL.md (GitHub and npm links), which helps reviewability, but the registry metadata lacked a homepage entry — you should verify the package identity and inspect source before installing.
Credentials: okNo environment variables or unrelated credentials are requested. The only filesystem access declared is the .auteng/wallets/ path where wallet JSONs are stored. That is consistent with the stated functionality, but the data stored there (private keys) is highly sensitive, so minimality of requested variables doesn't remove the risk.
Persistence & Privilege: concernalways:false (good). The skill can be invoked autonomously (platform default). Combined with an installed npm package that can access and sign with local private keys, autonomous invocation increases blast radius: the agent or package could sign/send transactions programmatically. SKILL.md relies on human approval but cannot technically enforce it.