Skillv2.16.0

ClawScan security

Beacon · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 11:36 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The SKILL.md describes networked agent-to-agent messaging and on‑chain payments but omits an install spec while instructing users to pip-install a third‑party package and to write keystores and broadcast UDP—this mismatch and the hidden install/supply‑chain surface are concerning.
Guidance: This skill's behavior is plausible for a P2P/payments tool, but there are important red flags you should address before installing or using it: - Verify the source: SKILL.md cites a GitHub repo but the registry lists source as unknown. Manually inspect the linked GitHub repository and confirm it matches the PyPI package (author, code, commit hashes) before running `pip install`. - Inspect the package: prefer to clone and audit the code (or review its published wheel/tarball) rather than blindly pip-install. Check the PyPI publisher, release history, and package checksums or GPG signatures if available. - Sandbox installs: install and run the package in an isolated environment (VM or container) first, especially because it performs network I/O and key management. - Protect keys: the skill will create keystores and may request passwords; never paste private keys into untrusted prompts. Back up encrypted keystores and keep strong passwords. Consider using hardware wallets or separate signing environments for real funds. - Be careful with broadcasts: do not enable UDP broadcasting on untrusted networks; broadcasting to 255.255.255.255 can leak metadata to the entire LAN. - If you need stronger assurance: ask the publisher to add an explicit install spec and package hash to the registry entry (or publish the skill with inline code) so the registry and SKILL.md align. What would change this assessment: a registry-provided install spec pointing to a vetted release (with package hashes or a verified GitHub release), or inclusion of the package source files with the skill so no hidden pip install is required. Without that, treat the pip install/supply-chain step as a significant risk.

Review Dimensions

Purpose & Capability: concernThe description and SKILL.md claim a full networking + payments stack (11 transports, signed RustChain payments, UDP broadcast, keystores). The registry entry contains no install spec or source/homepage, yet SKILL.md tells users to run `pip install beacon-skill` and points to a GitHub repo. That discrepancy (registry 'source: unknown' vs SKILL.md GitHub link + implicit PyPI install) is incoherent and increases supply-chain risk.
Instruction Scope: concernRuntime instructions tell the agent/user to install a package, create and write files under ~/.beacon (config, encrypted keystores, inbox.jsonl), enable/disable UDP broadcasts (including broadcasting to 255.255.255.255), and create/sign payments. These operations involve network traffic, local key material, and optional wide LAN broadcasts — all within the claimed purpose but with significant potential for data exposure. The SKILL.md gives the agent broad capability to install and run external code that will perform these actions.
Install Mechanism: concernNo install spec is present in registry metadata, yet SKILL.md instructs `pip install beacon-skill`. An instruction-only skill that instructs installing a PyPI package hides an executable install step from the registry. This is a supply-chain risk: the pip package could change, be typosquatted, or differ from the quoted GitHub source. The SKILL.md's mention of a GitHub repo helps, but the registry's lack of an authoritative install/source declaration is a mismatch to note.
Credentials: noteThe skill requests no environment variables or external credentials in the registry, which is consistent with storing keys locally in encrypted keystores. That is proportionate to a wallet/peer-to-peer tool. However, the instructions enable optional UDP broadcast of outbound actions (potential metadata leakage) and create persistent files in the user's home directory — the user must manage passwords and keystores safely. The absence of declared env vars is not a proof of safety because secrets live in files created by the package.
Persistence & Privilege: notealways is false and the skill is user-invocable (normal). The package will create files under ~/.beacon (its own config and keystores) which is scoped to the skill. The main concern is that an agent invoking this skill autonomously could run the pip-installed code (not present in the registry) to perform network actions; autonomous invocation combined with an external pip install increases blast radius compared to a pure instruction-only skill.