Skillv0.1.0

ClawScan security

Send Tokens · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 4:49 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's description matches its behavior (it issues on-chain transfers), but the runtime instructions expect a local CLI wallet (fdx) and authenticated access without declaring that dependency or the credential scope — this mismatch is a red flag.
Guidance: This skill will invoke a local CLI (fdx) to move real funds. Before installing: (1) confirm that you have and trust the fdx CLI the skill expects — the skill metadata should explicitly list fdx as a required binary but does not; (2) understand where your wallet keys live (local keyfile, unlocked signer, agent environment) — if the agent has access to an authenticated wallet it can send irreversible transactions; (3) prefer enabling an extra human-confirmation enforcement or disabling autonomous invocation so transfers cannot happen without manual approval; (4) test with very small amounts on a testnet first; (5) ask the publisher to update the skill to declare the fdx binary as required and to document the expected credential/storage location for the wallet. If you cannot verify these, treat the skill as risky and avoid installing it on agents that can access real funds.

Review Dimensions

Purpose & Capability: concernThe skill is legitimately a 'send tokens' helper and its instructions call fdx CLI commands to perform transfers. However the skill metadata declares no required binaries or primary credential even though the SKILL.md explicitly relies on the fdx CLI and an authenticated local wallet. The missing declared dependency on the fdx binary/wallet is an incoherence.
Instruction Scope: noteSKILL.md stays within the expected scope (check auth, check balance, confirm with human, call fdx transfer). It does not instruct reading unrelated files or exfiltrating data. It does rely on human confirmation before execution, which is appropriate, but the instructions don't force machine-verifiable address/amount validation beyond manual confirmation.
Install Mechanism: okInstruction-only skill with no install steps. That minimizes on-disk installation risk. The tradeoff is the skill assumes the environment already has the fdx CLI available.
Credentials: concernNo environment variables or credentials are declared, yet the skill performs operations that require an authenticated wallet (local keys, unlocked signer, or daemon). The lack of declared credential requirements or mention of where secrets live (fdx config, keyfile, environment) is disproportionate and hides the sensitive context needed to perform transfers.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated persistence. Autonomous invocation is allowed (platform default) but that alone is not flagged; consider restricting autonomous invocation because the skill can perform irreversible fund transfers.