Skillv2.5.1

ClawScan security

Rydberg Agent Node · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 13, 2026, 8:49 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions are coherent with its stated purpose (deploying a ProbeChain Rydberg testnet Agent node) but you should review a few privacy/operational details before running it on a production machine.
Guidance: This skill appears to do what it says: download/build a Rydberg testnet Agent node and run it. Before installing, (1) confirm you trust ProbeChain and the GitHub repository being used; (2) review the remainder of the SKILL.md for any commands that create system services, write outside your home directory, or modify firewall/network config; (3) be aware the installer saves a node password to ~/rydberg-agent/password.txt (created with restrictive permissions) — if you don't want a local plaintext secret, modify the workflow to use a secure keystore; (4) verify the release tag and, if possible, the GPG key fingerprint used to sign release checksums; and (5) consider testing in a VM/container if you are uncertain about running a networked node on your primary machine. I have medium confidence because the SKILL.md was truncated in the provided content—if the remaining steps create systemd services or perform system-wide changes that were not shown, that could raise the risk level.

Review Dimensions

Purpose & Capability: okThe skill claims to deploy a Rydberg Agent node and its instructions request exactly the capabilities needed for that: network outbound access, filesystem read/write in the user's home, and running build/runtime binaries. Requiring git/go/curl/tar/shasum for building or downloading a release and saving files under ~/rydberg-agent is consistent with the stated purpose.
Instruction Scope: noteThe SKILL.md stays on task (detect OS, check/install node, verify releases, build if necessary, run the node). It reads and writes only under ~/rydberg-agent (per the provided snippets) and uses GitHub release APIs and optional GPG/signature verification. Two items to note: (1) it asks the user to enter and saves a node password to password.txt (protected via umask 077) — this stores a secret on disk in plaintext (though file permissions are restricted), and (2) the skill automatically registers every deployed node as an Agent node on the testnet (this has protocol/consent implications). There is no evidence in the shown content of reading unrelated system files or exfiltrating data to unexpected endpoints.
Install Mechanism: okThis is an instruction-only skill (no bundled installer). It downloads release artifacts from the project's GitHub releases or clones the repository and builds from source using a pinned tag — both are standard and expected. For macOS arm64 it enforces checksum verification and optionally GPG verification. There are no downloads from untrusted personal URLs or IPs in the shown content.
Credentials: noteThe skill declares no required environment variables or external credentials, which matches the manifest. It does require filesystem and network access (reasonable for a node deployer). It does not request unrelated secret env vars. The only secret handled is a user-entered node password which the script stores locally; the user should be aware that this is a local secret file (albeit created with restrictive permissions).
Persistence & Privilege: noteThe skill is not marked always:true and is user-invocable (normal). The shown instructions create files in the user's home and execute binaries, which is expected. The truncated portion may include steps to register a service (systemd) or open ports; if so, those would be higher privilege operations — review the remainder of the SKILL.md for any system-wide service installs, firewall changes, or writes outside the user's home directory before proceeding.