Skillv1.0.2011

ClawScan security

celo-defi · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 9, 2026, 2:50 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only skill that provides Celo DeFi contract addresses and integration examples; it requests no credentials, installs nothing, and its requested capabilities match its description.
Guidance: This skill is coherent and low-risk as provided, but take these practical precautions before using it in production: 1) Verify every contract address on Celoscan or the official protocol docs (the skill itself advises this). 2) Test on Alfajores (the testnet addresses are included) before mainnet usage. 3) Never paste private keys or secrets into any tool; the code samples assume wallet-provider signing (e.g., MetaMask/CeloWallet) and will prompt the user to approve transactions. 4) Because the registry source/homepage are missing, prefer official packages or upstream docs for long-term use and periodically re-check addresses for updates or migrations. 5) If you’ll run any of the snippets in an automated environment, review them for gas/parameter handling and add proper input validation and error handling.

Review Dimensions

Purpose & Capability: okThe skill's name/description (Celo DeFi integration) matches the included contents: contract addresses, protocol lists, and code samples for swaps, lending, and liquidity. There are no unrelated dependencies, binaries, or credentials requested. Note: the registry 'source' and homepage are missing, so authorship cannot be independently verified, but that does not make the content incoherent.
Instruction Scope: okSKILL.md contains only documentation and code examples (TypeScript snippets using window.ethereum / viem). The instructions do not tell the agent to read unrelated system files, environment variables, or exfiltrate data. The code examples assume user wallet interaction (expected for transaction signing). The file even advises verifying addresses on Celoscan.
Install Mechanism: okNo install spec and no code files to execute are provided (instruction-only). This minimizes the surface for arbitrary code execution or unexpected downloads.
Credentials: okThe skill declares no required environment variables, credentials, or config paths and the SKILL.md does not reference hidden env vars. The integration samples rely on browser wallet providers (window.ethereum), which is appropriate for the stated purpose.
Persistence & Privilege: okThe skill does not request always:true or other elevated persistence. Autonomous invocation is allowed (platform default) but there are no additional privileges or system modifications requested by the skill.