Back to skill
Skillv1.0.0
ClawScan security
RugCheck · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:10 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: its name/description match the included shell script and SKILL.md, it only queries the public RugCheck API and requests no credentials or installs, and there are no anomalous file reads or hidden endpoints.
- Guidance
- This skill appears to do what it says: it sends token mint addresses to rugcheck.xyz and returns public risk reports. Before installing, consider: (1) Queries will reveal which token mint addresses you ask about to a third party (rugcheck.xyz) — avoid sending any sensitive/private data. (2) The SKILL.md mentions bulk endpoints that require a wallet JWT; the skill does not attempt to obtain any JWTs automatically, but you should not provide private keys or wallet secrets. (3) Rate limits may apply; the script respects basic error handling but you may want to throttle repeated queries. If you need full privacy or offline analysis, use your own tooling or self-hosted analyzers instead.
Review Dimensions
- Purpose & Capability
- okName/description promise Solana token risk checks via RugCheck and the included script plus SKILL.md implement exactly that (calls to https://api.rugcheck.xyz endpoints). No extraneous credentials, binaries, or unrelated capabilities are requested.
- Instruction Scope
- okRuntime instructions and the script only call RugCheck read endpoints, validate mint addresses locally, and pretty-print JSON. They do not read arbitrary files, environment variables, or send data to any endpoints other than api.rugcheck.xyz. Bulk endpoints are documented as requiring JWTs but the skill does not attempt to perform auth automatically.
- Install Mechanism
- okNo install spec; this is instruction-only with a small bundled shell script. There are no downloads, extracted archives, or third-party package installs.
- Credentials
- okNo environment variables, credentials, or config paths are required. The SKILL.md mentions that some bulk endpoints require a wallet JWT (correctly labeled) but the skill does not request or embed any secret.
- Persistence & Privilege
- okalways is false and the skill does not modify system or other skills' config. It has no persistent install steps or privileges beyond running a local script that issues HTTP requests.