Skillv1.0.2004

ClawScan security

aleph-cloud-self-deployment · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 2:50 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's purpose (self-deploy an agent to Aleph Cloud) matches its instructions, but the runtime instructions tell the agent to create/import private keys and to share AI-provider API keys and agent credentials with spawned VMs while the skill declares no required credentials—this mismatch and the credential-transmission guidance are high-risk and should be reviewed carefully before use.
Guidance: This skill will instruct an agent to create/import private blockchain keys, generate SSH keys, install aleph-client, and explicitly share your AI-provider API key and agent state with freshly provisioned VMs. That is a high-sensitivity operation. Before installing or running: (1) Do not supply your primary OpenAI/Anthropic API keys—use ephemeral or minimally-scoped keys if you must. (2) Expect the agent to read/write files in your home directory (~/.aleph-im/, ~/.ssh/). (3) Review and test commands locally rather than granting autonomous run privileges—disable or require human approval for model-invoked runs. (4) Verify aleph-client and the rootfs image hashes against Aleph's official sources and only use known/trusted CRNs. (5) If you do not fully trust the skill author, do not provide long-lived credentials or let the agent copy its internal knowledge/state to remote hosts; run any experiments in an isolated, billing-limited account or sandbox.

Review Dimensions

Purpose & Capability: noteThe name/description match the SKILL.md: it genuinely instructs an agent how to provision an Aleph VM, install aleph-client/OpenClaw, and configure an agent runtime. However, the skill declares no required env vars/credentials even though the instructions explicitly require a funded Aleph account, an SSH keypair, a private key (or generation of one), and an AI provider API key. That mismatch between claimed requirements and the actual instructions is notable.
Instruction Scope: concernThe SKILL.md directs the agent to handle highly sensitive operations: import or generate private blockchain keys and store them under ~/.aleph-im/private-keys/, create SSH keypairs, and—critically—'share' AI provider API keys with spawned agents. It also shows automation to bypass interactive prompts (pexpect), auto-accept CRN Terms & Conditions, and instructs transferring agent 'knowledge and skills' to remote VMs. These steps go beyond simple orchestration and explicitly involve creating, reading, and transmitting secrets and agent state.
Install Mechanism: okInstruction-only skill with no install spec or code files; lowest install risk. It does instruct installing aleph-client via pip, which is reasonable for its stated purpose, but that external dependency will be fetched at runtime by the agent/user rather than by the skill package itself.
Credentials: concernThe skill requests no environment variables or declared credentials in metadata, yet its runtime instructions require: Aleph account credentials/private key, SSH keypair files, and an AI provider API key to provision and to hand off to new agents. Requiring transfer of provider API keys and asking the agent to configure its own identity on remote VMs is disproportionate unless the user intentionally provides ephemeral/minimally-scoped credentials. The lack of declared env vars is a transparency problem.
Persistence & Privilege: noteThe skill is not forced-always and is user-invocable, and model invocation is allowed (normal). However, because its instructions enable automated creation of remote agents and explicit transfer of AI-provider keys/agent identity, autonomous invocation would significantly increase blast radius if the agent is allowed to run this skill without human oversight. Consider requiring manual approval or blocking autonomous runs.