ClawHub
Back to skill
v2.0.0

Graph Advocate

ReviewClawScan verdict for this skill. Analyzed Apr 30, 2026, 3:20 PM.

Analysis

This instruction-only blockchain data skill is mostly transparent, but it can send your queries to a third-party service and may automatically charge an x402 wallet after the free quota.

GuidanceInstall only if you trust graph-advocate-production.up.railway.app with your query text and any wallet addresses you ask about. Disable or tightly limit any x402 wallet unless you want automatic USDC payments after the free quota. Do not run the referenced npx MCP installs or provide GRAPH_API_KEY unless you have verified those packages and are comfortable with their access.

Findings (8)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack
SeverityLowConfidenceHighStatusNote
references/token-api.md
Full Specification ... https://token-api.thegraph.com/skills.md ... This skills.md is the authoritative source — if anything in this reference conflicts, trust skills.md.

A mutable external document is made authoritative for Token API behavior, which could influence the agent beyond the bundled reference if not constrained to API schema details.

User impactThe agent may follow changed remote documentation when answering Token API questions, which could alter routing or query behavior.
RecommendationTreat fetched Token API documentation as API reference only; do not let it override user instructions, system instructions, safety limits, or payment decisions.
Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
10 free queries/day per sender. After that, $0.01 USDC on Base per query. ... Agents with x402 wallets pay automatically.

The skill can cause paid x402 transactions when invoked after the free quota, and the artifacts do not define a per-query approval step, budget, or stop condition.

User impactRepeated or autonomous use could lead to unexpected USDC charges from a connected x402 wallet.
RecommendationRequire explicit user approval before any paid query, set a spending cap, and disable wallet payment support unless paid access is intended.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
references/aave.md
claude mcp add graph-aave -- npx -y graph-aave-mcp
export GRAPH_API_KEY=your-key-here

The bundled reference recommends running an unpinned npm package via npx and then providing a Graph API key; this is not part of the no-code install, but it is a supply-chain exposure if followed.

User impactInstalling optional MCP packages from npm could run third-party code and expose any API key configured for it.
RecommendationOnly run referenced MCP installs after verifying the package source, pin versions where possible, and use least-privilege API keys.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
references/polymarket.md
claude mcp add graph-polymarket -- npx -y graph-polymarket-mcp

Although the submitted skill itself is instruction-only, the reference includes a command that would execute a remote npm MCP package if the user follows it.

User impactA user expecting only an instruction-only skill could execute additional local code by following the reference install command.
RecommendationDo not run the referenced npx commands unless you intentionally want those MCP servers installed and have reviewed their provenance.
Human-Agent Trust Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
- **No credentials required** — Graph Advocate does not need API keys from you ... Agents with x402 wallets pay automatically.

The no-credentials statement is limited to API keys, while the same skill discloses wallet-based automatic payments; users could underweight the payment tradeoff if they read the security claim alone.

User impactA user may assume there is no account or payment authority involved when a connected x402 wallet can still be charged after the free quota.
RecommendationSurface the automatic payment disclosure next to the no-credentials claim and require clear confirmation before paid use.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
SKILL.md
- **No credentials required** — Graph Advocate does not need API keys from you ... Agents with x402 wallets pay automatically.

The skill says it does not need user API keys, but it can still rely on an existing x402 wallet for payments; wallet spend authority is a delegated privilege that should be explicitly bounded.

User impactA user may not realize that an available wallet can be used for payment even though no API key or environment variable is required.
RecommendationPresent wallet/payment access as a separate permission, require opt-in, and enforce clear per-sender limits before using wallet authority.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceMediumStatusNote
SKILL.md
"cache_for_seconds": 86400

The response format includes a one-day cache hint for live blockchain results, which may encourage reuse of retrieved data across later responses.

User impactCached results may become stale or be over-trusted for time-sensitive blockchain, trading, or market questions.
RecommendationRefresh data before acting on time-sensitive results, and avoid reusing cached responses as authoritative beyond their intended context.
Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
By using this skill, your plain-English data queries are sent to `graph-advocate-production.up.railway.app` ... Only install if you trust this endpoint with your query text.

The skill uses an externally hosted A2A/service endpoint and discloses that user query text is sent there; this is purpose-aligned but creates a data-sharing boundary.

User impactQuestions, wallet addresses, protocol interests, or other text included in prompts may be shared with the service operator and downstream data providers.
RecommendationAvoid including secrets or private keys in queries, and only use the skill if you trust the listed endpoint with the query text.