Skillv0.2.0

ClawScan security

31Third Safe Rebalancer (Simple) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 17, 2026, 11:14 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement an on‑chain Safe rebalancer (which justifies a signer key and RPC access), but the package/registry metadata omits required sensitive env vars (private key, RPC, API key) and a prompt‑injection pattern was flagged in SKILL.md — review the code and provenance before using with real funds.
Guidance: What to check before installing/using this skill: - The registry metadata claims no required env vars/credentials, but SKILL.md requires a private key (EXECUTOR_WALLET_PRIVATE_KEY), RPC_URL/CHAIN_ID and TOT_API_KEY — treat that as a red flag. Ask the publisher why metadata omits these sensitive requirements. - Do not use your Safe owner private key. Use a dedicated executor key with minimal privileges and limited balance for gas only; rotate or revoke it after testing. - Manually review package.json, package-lock.json and all CLI/source files (src/ and dist/) for network endpoints, telemetry, logging, or code that might exfiltrate secrets (HTTP POSTs, fetch/curl to unknown domains, encoded payloads). Pay attention to any code that sends data to endpoints other than official 31Third domains and your configured RPC. - Because SKILL.md instructs you to run npm install, consider auditing dependency tree or running in an isolated environment/VM/container before connecting real keys or funds. - The static scanner flagged a base64 prompt‑injection pattern — search the SKILL.md and included files for hidden/encoded instructions and remove/inspect any such blocks. - Prefer running first on a test Safe/testnet and verify behavior (no unexpected outbound traffic, correct on‑chain calls). If possible, request the canonical source repository (git) or a publisher identity proof (31third.com) and verify releases/tags match the packaged code. - If you are not comfortable auditing the code, do not provide the executor private key to this tool; instead use trusted, audited tooling or ask 31Third support for an official client.
Findings: [base64-block] unexpected: A prompt‑injection pattern (base64‑block) was detected in SKILL.md by the static scanner. The SKILL.md shown here does not visibly contain a base64 payload, so this may be a false positive or present elsewhere in the distributed SKILL.md (or in one of the included files). Regardless, any detected prompt‑injection token in runtime instructions is worth manual review to ensure there are no embedded instructions intended to manipulate agent behavior.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (Safe rebalancer using 31Third policies) matches the code and instructions: it reads on‑chain policies and signs transactions as an executor. However the registry metadata claims no required env vars/primary credential while SKILL.md clearly requires an executor private key, RPC_URL, CHAIN_ID and a 31Third TOT_API_KEY. That mismatch is unexpected and relevant to trust/provenance.
Instruction Scope: concernSKILL.md instructs the user/agent to set EXECUTOR_WALLET_PRIVATE_KEY and run npm run cli -- rebalance‑now which will use an ethers signer to calculate and execute trades. Those instructions are within the stated rebalancer scope, but they give the skill direct access to a sensitive private key and network RPC. SKILL.md also tells you to 'copy env vars from the wizard' — the agent could be given secrets not declared in registry metadata. Because the instructions rely on a private key and network RPC, you should audit the CLI code (included) for any unexpected network endpoints, logging, or exfiltration behavior before running.
Install Mechanism: noteThere is no platform install spec (instruction‑only), which lowers installer risk, but the bundle includes full JS/TS source, dist files, package-lock.json and instructs the user to run npm install and npm run build. Running npm install will fetch dependencies from npm (not vetted by the platform); inspect package.json/package-lock.json and the codebase before installing to avoid malicious dependencies.
Credentials: concernThe environment variables called out in SKILL.md (EXECUTOR_WALLET_PRIVATE_KEY, SAFE_ADDRESS, EXECUTOR_MODULE_ADDRESS, RPC_URL, CHAIN_ID, TOT_API_KEY) are all plausible and necessary for an on‑chain executor tool. The concern is that the skill's registry metadata advertises 'no required env vars' and 'no primary credential', which is inconsistent with the real requirements. The private key is high‑sensitivity; ensure it is an executor key with narrowly scoped privileges (not the Safe owner key) and consider a hardware or ephemeral signer.
Persistence & Privilege: okThe skill does not request always:true and does not declare writing/modifying other skills or system settings. It appears to be invoked via CLI on demand; autonomous model invocation is enabled by default but is not combined here with 'always' or other elevated privileges.