Back to skill
Skillv0.2.0
ClawScan security
Pm Sim · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 1, 2026, 2:13 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill is a simple deprecation notice that directs users to install a renamed package; its instructions and metadata are internally consistent.
- Guidance
- This skill is only a deprecation notice and is safe on its face. If you plan to follow its suggestion, review the target package (polymarket-paper-trader) before installing: check the npm package name and version, inspect its source or repository, review its README for required environment variables or permissions, and consider installing in a sandboxed environment if you don't trust the package. Remember that running npx will fetch and execute remote code from the npm registry, so vet the package author and contents before proceeding.
Review Dimensions
- Purpose & Capability
- okThe skill's name/description indicate it is deprecated and points to polymarket-paper-trader. There are no declared requirements or capabilities that conflict with that purpose.
- Instruction Scope
- noteSKILL.md only contains a short message and a single command suggestion (npx clawhub install polymarket-paper-trader). It does not instruct reading files or accessing unrelated data, but it does delegate installation to an external npm-based package (the renamed package) which will determine real runtime behavior.
- Install Mechanism
- okThis skill has no install spec and no code — lowest-risk. The only action recommended is using npx to install a different package; the current skill itself writes nothing to disk.
- Credentials
- okThe skill declares no environment variables, credentials, or config paths. Nothing requested is disproportionate to a deprecation notice.
- Persistence & Privilege
- okalways is false and the skill is user-invocable only. It does not request persistent presence or modify other skills.