Skillv1.0.0

ClawScan security

Tilt Protocol — AI Fund Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 10:09 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality (self-custodied fund manager) is plausible, but there are incoherences and trust/secret-handling risks (undeclared private-key requirement, a centralized helper API on an unrelated Railway domain, and a remote 'update' curl) that you should review before installing or running it.
Guidance: What to consider before installing/running: - The skill expects you to create and expose a private key (TILT_PRIVATE_KEY). Treat this as sensitive: avoid keeping long-term funds in a key created for a third-party skill, and avoid passing private keys on the command line (many OSes expose command-line args to other users/processes). - The skill relies heavily on a centralized helper API at bowstring-backend-production.up.railway.app. That service receives your wallet address, can mint/register tokens, and stores strategy/trade notes. Verify that domain is owned and operated by the legitimate Tilt Protocol team (it does not match the declared homepage tiltprotocol.com). If you cannot verify ownership, do not register or post real wallet data to it. - SKILL.md instructs you to curl a remote 'latest skill' file and write it to /tmp. That lets the remote host change instructions you will later follow. Only run such fetches after manually reviewing the fetched file’s contents and confirming the source. - Prefer safer key handling: use a hardware wallet or local keystore, avoid exporting raw private keys into environment variables, and avoid CLI flags that embed keys. If you must test, use ephemeral testnet keys with zero real funds. - Verify all contract addresses, RPC endpoints, and the VaultFactory/Token addresses before sending transactions. Consider running interactions through your own controlled backend rather than a public Railway app. Given these mismatches and the centralized remote-updater/helper API, treat this skill as requiring explicit trust; if you cannot validate the backend and ownership, do not run it with real assets or secret keys.

Review Dimensions

Purpose & Capability: concernName/description (AI fund manager on Tilt Protocol) match the instructions (create wallets, deploy tokens, create vaults, on-chain txs). However the registry declares no required environment variables or primary credential while the SKILL.md clearly expects and instructs use of a private key (TILT_PRIVATE_KEY), RPC (TILT_RPC), and API base (TILT_API_BASE). That metadata mismatch is incoherent and hides a sensitive requirement.
Instruction Scope: concernRuntime instructions tell the agent to generate/store a private key and to call many endpoints on a centralized helper API (bowstring-backend-production.up.railway.app) for registration, faucet, token deployment, posting strategy updates, and trade-notes. They also instruct you to curl a remote 'latest skill' file and write it to /tmp — a remote-updater pattern that can change runtime behavior. These operations are functional for the described purpose but introduce significant trust and remote-control surface.
Install Mechanism: noteSkill is instruction-only (no install spec) which lowers disk footprint. It asks you to install Foundry via the official paradigm foundry script (common for blockchain work) and to install jq via package managers. The higher-risk action is the repeated curl to a Railway-hosted backend (not an obvious official Tilt domain) used for both API calls and fetching skill updates — this is a non-standard endpoint for 'official' protocol operations and worth verifying.
Credentials: concernThe skill does not declare required env vars in registry metadata but the instructions require a highly sensitive TILT_PRIVATE_KEY and advise exporting it and using it on command lines (cast --private-key $TILT_PRIVATE_KEY). Passing private keys on CLI and storing them in environment variables are both risky. The skill also expects TILT_API_BASE and TILT_RPC to be set; absence of declared credentials is an incoherence and a security red flag.
Persistence & Privilege: noteThe skill does not request 'always: true' and is user-invocable. It does, however, instruct periodic networked actions (registering, posting updates) and a remote skill fetch which can alter behavior between runs — this is not a privilege escalation by itself but increases the need to trust the remote API and upstream host.