Skillv1.0.0

ClawScan security

Windfall Inference · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 16, 2026, 12:01 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The SKILL.md is a small, client-facing wrapper that only asks for an API key, but the bundle contains a full server codebase, deploy scripts, and many dependencies — the package contents and metadata are not fully consistent with the simple runtime instructions.
Guidance: What to consider before installing or using this skill: - If you only want to call Windfall's hosted API: you only need to provide WINDFALL_API_KEY to the agent. Verify the endpoint (https://windfall.ecofrontiers.xyz) and avoid reusing sensitive keys. - The bundle contains a full server implementation (deploy script, package.json, many src/ services). Do NOT run or 'npm install' these files unless you trust the publisher and have audited the code; running them will fetch many third-party packages and may require blockchain/payment secrets. - If you intend to self-host the code: read the source thoroughly for required environment variables (Stripe, Ethereum RPC keys, EAS attestation config, x402 keys) and note the Business Source License in LICENSE.md which restricts offering a competing commercial inference gateway. - Treat the WINDFALL_API_KEY as a scoped credential: prefer least-privilege, generate ephemeral/test keys where possible, and monitor usage. Consider using a separate key for the agent and avoid sharing cloud/provider credentials. - Verify the operator identity (homepage, organization, package provenance). The registry owner is an opaque ID; if you require high assurance, confirm the project's repository, maintainers, and TLS fingerprint of the API endpoint. - If you need a higher-assurance classification, provide the contents of src/config.ts and src/index.ts (or allow an independent code audit) — those files will show exactly what environment variables and outbound endpoints the server uses and whether any unexpected exfiltration occurs.

Review Dimensions

Purpose & Capability: concernThe skill's name/description and SKILL.md present a simple OpenAI-compatible gateway requiring only WINDFALL_API_KEY. However, the bundle includes a complete server codebase (many src/ services), deploy/setup.sh, package.json and package-lock.json with payment, blockchain, and attestation libraries (ethers, stripe, @ethereum-attestation-service/eas-sdk, @x402/*, etc.). That full server footprint is coherent with a Windfall operator node but is disproportionate to a client-only inference-sink skill; the manifest claims 'instruction-only' / no install spec while shipping a deployable server — this mismatch is suspicious.
Instruction Scope: noteThe SKILL.md runtime instructions are narrowly scoped: set WINDFALL_API_KEY and call the remote endpoint (or use x402). The instructions do not request other env vars or filesystem access. That is consistent with a client-side integration. The concern is not the SKILL.md itself but that the included source contains server behaviors (attestations, on-chain watchers, payment settlement) which are not referenced in the SKILL.md guidance to the agent.
Install Mechanism: concernThe registry entry declares no install spec, but the package contains a full Node project with package.json and many dependencies and a deploy/setup.sh script. If a user or operator were to run/install this code, it would pull many networked packages and require build/runtime steps. The lack of an explicit install mechanism combined with shipped deploy scripts is an inconsistency and increases risk if the code is executed without review.
Credentials: noteSKILL.md and registry require only WINDFALL_API_KEY (primary credential) which is proportionate for a client calling a hosted API. However, the shipped server code references payment, blockchain, and attestation features that typically require other secrets (Stripe keys, Ethereum RPC keys/private keys, EAS configs). Those other credentials are not declared in requires.env — this is a mismatch worth flagging if you plan to run the code yourself.
Persistence & Privilege: okThe skill is not always: true and does not request system-level persistence or other skills' configs. Autonomy is enabled by default (normal) but not combined with other high-risk flags here.