Skillv1.0.0

ClawScan security

Crypto Address Checker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 20, 2026, 8:43 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly implements a local DB + background Etherscan sync for scam checks, but its documentation, declared requirements, and runtime behavior are inconsistent — notably around API usage and environment variables — so review before installing.
Guidance: This package appears to be a legitimate local DB-based scam detector, but there are important inconsistencies you should resolve before installing: - ETHERSCAN_API_KEY is required for syncing unknown addresses, but the registry metadata does not declare it. Expect the skill to use network calls for unknown addresses or when running the sync worker/cron; if you do not set a key, realtime sync will fail or the scripts will prompt you. - The top-line claim 'No external API calls during user checks' is only true when an address is already present in the local DB. Unknown addresses trigger immediate Etherscan fetches (crypto_check_db.py calls a syncer) or the convenience script will run sync_worker. Clarify whether you want those realtime network calls. - inspect requirements.txt before pip install to confirm third-party dependencies are trusted; review secure_key_manager.py to understand how it encrypts and stores your API key (where the passphrase comes from, PBKDF iterations, storage path ~ ~/.config/crypto-scam-detector/encrypted_keys.json). Make sure no hardcoded remote endpoints or backdoors exist in sync_worker.py or secure_key_manager.py. - The installer runs silently (redirects output), which is convenient but hides install-time errors; run install.sh interactively or inspect it first. If you plan to use this skill: 1) Audit secure_key_manager.py and sync_worker.py to confirm Etherscan (and any additional services like ChainAbuse) are the only external endpoints used and that keys are handled securely. 2) Ensure you are comfortable storing an API key on the host and with running a background worker (cron/systemd) that uses it. 3) Consider running the skill in an isolated environment (dedicated user account or container) until you confirm behavior. Because these inconsistencies could be innocent (sloppy docs) but also lead to unexpected network calls or key exposure, treat the package as suspicious until you confirm these points.

Review Dimensions

Purpose & Capability: noteThe code and docs align with a database-first crypto-scam detector that uses Etherscan for background sync. That capability matches the name/description. However the registry/metadata claims no required env vars or primary credential, while the code expects an ETHERSCAN_API_KEY (via environment or encrypted storage) for sync operations. Also SKILL.md's repeated claim 'No external API calls during user checks' is misleading: checks that hit the DB only are offline, but the code will perform realtime Etherscan sync (network calls) when an address is missing.
Instruction Scope: concernSKILL.md and scripts direct the agent to create a local DB under ~/.config/crypto-scam-detector, run install.sh, optionally run setup.sh (encrypted key storage), and run sync_worker.py which makes external API calls to Etherscan. The human-facing claim 'Zero external API calls during user checks' omits that the checker will trigger immediate sync/network calls for unknown addresses. Scripts reference ETHERSCAN_API_KEY and call network APIs; instructions also suggest adding cron/systemd services. These behaviors go beyond purely local-only checks and are not consistently documented as required.
Install Mechanism: okinstall.sh creates a Python virtualenv and pip-installs requirements from requirements.txt; there are no opaque downloads or unexpected remote URLs in the provided files. The install script runs silently by redirecting stdout/stderr but otherwise performs standard operations. This is a standard install pattern (moderate risk if requirements include untrusted packages — review requirements.txt).
Credentials: concernThe skill metadata declares no required env vars or primary credential, but the runtime code and scripts clearly use ETHERSCAN_API_KEY (environment OR encrypted storage via secure_key_manager). The skill also stores data under the user's home config directory. Requiring an API key for Etherscan is legitimate for background sync, but the metadata should list it; the mismatch is a red flag and could lead a user to run the skill without understanding network calls or key storage behavior.
Persistence & Privilege: okThe skill does not request always:true and does not attempt to modify other skills. It recommends running a background worker via cron or systemd (which requires the user to configure a service/cron). That is normal for a background sync worker; no privileged system-level changes are requested by the package itself.