Skillv0.1.2

ClawScan security

web5 cli · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 2, 2026, 4:05 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill generally matches a Web5 CLI workflow, but there are mismatches (no declared web5-cli binary), a detected base64 prompt-injection pattern in the SKILL.md, and the scripts read/write sensitive local key/account files — review before installing or running.
Guidance: What to consider before installing/running: 1) Source trust: the skill has no homepage and the registry owner is unknown — verify the npm 'web5-cli' package author and checksum before installing. 2) Sensitive files: the scripts and CLI will access and may write sensitive keys and tokens in ~/.web5-cli (signkey, ckb-sk, account.json). Back up and protect these files; consider running the workflow in a sandbox. 3) Prompt-injection: SKILL.md contains a detected base64-like block — inspect the full SKILL.md for any encoded text or hidden instructions and remove/clean them. 4) Run audit: review the included Python scripts yourself (they mostly call web5-cli and parse JSON; note minor bugs referencing undefined variables in error paths). 5) Least privilege: do not run as a privileged user; limit network exposure and validate the PDS host you pass to commands. If you are unsure about the package provenance or the encoded content, do not install or run these scripts.
Findings: [base64-block] unexpected: A base64-block pattern was detected in SKILL.md. Encoded blocks are not expected in a CLI usage doc and can be used for prompt-injection or to hide instructions. Inspect the SKILL.md content for embedded/encoded payloads before trusting the skill.

Review Dimensions

Purpose & Capability: noteThe name/description and provided Python scripts align with a Web5 CLI account lifecycle helper (create/destroy account, PDS interactions). However the skill metadata declares no required binaries or credentials even though SKILL.md and the scripts assume the 'web5-cli' binary is installed (SKILL.md suggests `npm install -g web5-cli`). That mismatch is sloppy and should be resolved by the author.
Instruction Scope: concernThe runtime instructions and included scripts instruct the agent to run many web5-cli commands that access local keystore and wallet files (~/.web5-cli/signkey, ~/.web5-cli/ckb-sk) and to write ~/.web5-cli/account.json (stores username, DID, didkey, address, PDS domain and potentially tokens). The SKILL.md had a pre-scan 'base64-block' prompt-injection signal — an instruction-only doc embedding encoded or injected content can attempt to manipulate agents. While the scripts do not show explicit exfiltration, the combination of embedded prompt-injection patterns and operations that handle private keys is a material concern.
Install Mechanism: okThere is no install spec for the skill itself (instruction-only), which is low-risk. The README tells users to install 'web5-cli' via npm; that is normal for this functionality. The skill does not contain an automated download/execute install step that would fetch arbitrary code.
Credentials: noteThe skill declares no required environment variables or credentials, but uses CKB_NETWORK (optional) and accesses local key/wallet files via web5-cli. Access to private keystore and wallet files is expected for a wallet/DID manager, but because secrets and tokens may be written to ~/.web5-cli/account.json, the skill should explicitly document and justify this sensitive access. The lack of declared required binaries/credentials is an omission.
Persistence & Privilege: okThe skill is not marked always:true and does not request system-wide privileges. It writes and reads files under ~/.web5-cli and creates temporary files, which is within scope for an account management tool. Autonomous invocation is allowed (platform default) but not combined here with an always:true or other high-privilege requests.