Skillv0.1.0

ClawScan security

Unibase · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 7:32 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality (agentic wallets) matches its description, but the published metadata omits required credentials and the runtime instructions encourage insecure persistence of a JWT in repo config — these inconsistencies and risky recommendations warrant caution.
Guidance: Do not install blindly. Before using: 1) Require the skill's metadata be corrected to declare required env vars (UNIBASE_PROXY_URL, primary JWT or primaryEnv) and list exactly how tokens are supplied. 2) Never store long-lived JWTs or secrets in repository files; use the platform's secret store or OS-level credential manager (environment vars, vault). 3) Verify the UNIBASE_PROXY_URL is an official Unibase domain (confirm via Unibase website/docs); avoid unknown or IP-based endpoints. 4) Limit agent autonomy: require explicit user confirmation for any real-money transaction and test on testnets with minimal funds first. 5) Ask the publisher for provenance — homepage is missing and owner ID is opaque; prefer skills from verifiable official sources. 6) If you proceed, implement additional runtime safeguards: require interactive confirmation, validate addresses/amounts independently, and rotate tokens frequently. If the publisher cannot justify the missing metadata and the repo-storage guidance, treat the skill as untrusted.
Findings: [ignore-previous-instructions] expected: The SKILL.md explicitly lists prompt-injection patterns to detect (including 'Ignore previous instructions...') — the scanner found that string. This is expected: the skill warns about injection rather than performing one.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (agentic wallets for Unibase) aligns with the instructions (proxy endpoints, wallet RPCs, multi-chain support). However the registry metadata declares no required env vars/credentials while the SKILL.md clearly expects UNIBASE_PROXY_URL and a JWT (UNIBASE_PROXY_AUTH/config.json). That mismatch is an important incoherence.
Instruction Scope: concernInstructions ask the agent to call external proxy endpoints, run curl flows, and persist an auth token into a local config.json stored 'in the repo'. Requiring the agent to store and reuse a long-lived JWT in repository files is beyond the minimal scope of making API calls and creates a sensitive persistence and exfiltration surface. The doc also includes explicit non-interactive flow guidance to send an authUrl to users via the conversation channel — this is functional but increases risk if misused.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files, so nothing is written during install and there are no third-party packages to evaluate. That is the lower-risk approach for install mechanism.
Credentials: concernThe skill requires an API proxy URL and a JWT auth token, yet the registry metadata lists no required environment variables or primary credential. Additionally, the SKILL.md explicitly tells users to persist the JWT in config.json (repo) rather than using a platform secret store. Asking for long-lived credentials without declaring them in metadata and recommending insecure storage is disproportionate and risky.
Persistence & Privilege: concernThe skill does not request always:true or system-wide privileges, but it instructs storing a JWT in repository config.json and reusing it for future requests. That recommended persistence of a sensitive secret in repo files is a privilege/persistence risk (easy exfiltration, accidental check-ins) even though the skill itself doesn't modify other skills or system settings.