Back to skill
Skillv1.0.0
ClawScan security
Defipoly · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 4, 2026, 11:26 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to implement a playable Defipoly agent and its requirements mostly match that purpose, but there are prompt-injection indicators in the SKILL.md and a few operational details (use of private-key env overrides and an overridable BACKEND_URL) that warrant caution before trusting a funded wallet to it.
- Guidance
- This skill mostly does what it says (a Node-based CLI that signs and submits Solana transactions). However: 1) Do NOT supply your main wallet private key directly. Prefer creating/importing a throwaway wallet with minimal SOL/DPOLY for testing. 2) Inspect the full SKILL.md and scripts/agent-play.js yourself (or have a trusted reviewer) — the pre-scan flagged unicode control characters in SKILL.md which may be a prompt-injection attempt. 3) Verify the BACKEND_URL (default https://api.defipoly.app) before running; do not override BACKEND_URL to an untrusted endpoint. 4) Run npm install and execute the agent in an isolated environment (VM/container) first, and review network traffic (or run with SOLANA_RPC set to a read-only/test RPC). 5) If you must run with a real wallet, move only minimal funds to that wallet, keep private keys off environment variables if possible (use a keyfile with restrictive permissions), and confirm the code that does transaction build/sign/submit to ensure no exfiltration of secret material. If you are not comfortable auditing the code, treat this skill as untrusted.
- Findings
[unicode-control-chars] unexpected: SKILL.md contained unicode control characters/patterns that the pre-scan flagged as prompt-injection. There is no legitimate reason for control chars in runtime instructions; they could be an attempt to influence LLM-driven installers or reviewers. This should be investigated and removed/cleaned before trusting the skill.
Review Dimensions
- Purpose & Capability
- okName/description (Solana DeFi game agent) aligns with the included files and dependencies: node/npm, @solana/web3.js, bs58, tweetnacl, and a CLI script that builds/signs/submits Solana transactions to api.defipoly.app. Requiring Node and npm is reasonable for this functionality.
- Instruction Scope
- concernSKILL.md instructs running the included CLI which will load a wallet (from .wallet.json or WALLET_FILE / WALLET_PRIVATE_KEY env), sign transactions locally, and POST to the declared backend. The pre-scan found unicode-control-chars in SKILL.md (prompt-injection pattern). The file therefore may contain hidden control/unicode sequences intended to manipulate an LLM or automated scanner. This is unexpected for a playbook and raises concern.
- Install Mechanism
- okNo remote arbitrary downloads; install is npm install in the skill dir (dependencies are standard npm packages from the registry). package.json and package-lock.json list normal Solana-related deps. No extract-from-URL installs were detected.
- Credentials
- noteNo required env vars are declared, which is consistent, but the CLI supports sensitive optional overrides: WALLET_FILE and WALLET_PRIVATE_KEY (private key in env), plus BACKEND_URL and SOLANA_RPC. WALLET_PRIVATE_KEY gives full signing authority and is necessary for transaction actions but is extremely sensitive — providing it (or a wallet file) to the skill transfers signing capability to code you run. BACKEND_URL is overridable and, if set to an attacker-controlled endpoint, could cause the agent to build transactions against a malicious backend or exfiltrate data. These options are proportionate for a wallet agent but require user caution.
- Persistence & Privilege
- okalways is false. The script caches JWTs to /tmp/defipoly-agent-<hash>.json (ephemeral), and otherwise doesn't request persistent system-wide privileges or modify other skills' configs. Autonomous invocation is allowed but is the platform default; this alone isn't a red flag.