Skillv1.0.0

ClawScan security

Signet · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:29 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions generally match its advertised purpose (posting and checking onchain ads), but there are notable inconsistencies and operational risks — in particular the SKILL.md expects use of a private key and running remote npm code (npx) without declaring required environment variables or providing provenance for the remote service/package.
Guidance: This skill appears to do what it says (estimate/list/post Signet spotlight ads) but has a few important caveats you should consider before installing or invoking it: - Private key handling: Posting requires signing with a wallet private key (PRIVATE_KEY or --private-key). Never store your main wallet private key in a skill environment. Use a dedicated, funded test wallet or hardware wallet / offline signing where possible. - Remote code execution via npx: The SKILL.md instructs use of npx @signet-base/cli. npx will fetch and run code from npm at runtime — verify the package name, publisher, and source repository before running. Inspect the package source (or install into an isolated environment) and prefer pinned, audited releases. - Unknown API host: The API base (signet.sebayaki.com) has no homepage listed. Treat network endpoints as untrusted until you verify them. Use the --simulate flag first to avoid committing funds and inspect the request/response traffic if possible. - Metadata mismatch: The skill metadata declares no required env vars, but the instructions reference PRIVATE_KEY. Ask the skill author to clarify required credentials and to declare them in metadata; prefer skills that explicitly state required scopes and secrets. - Safer alternatives: prefer offline or delegated signing (generate a payment payload and sign it locally with a wallet you control), use a dedicated small-balance wallet for testing, or review the @signet-base/cli source before use. If you proceed: test with --simulate, use a throwaway wallet with minimal balance, inspect network requests, and verify the npm package and API domain provenance. If you cannot verify those, do not provide real private keys or run commands that submit payments.

Review Dimensions

Purpose & Capability: noteThe skill's name and description (interact with Signet onchain advertising, support x402 payments) match the instructions (estimate, list, post via x402). However, SKILL.md references using a PRIVATE_KEY (env or --private-key) for onchain posting but the skill metadata declares no required environment variables or primary credential — an inconsistency that should be addressed. Requiring a wallet/private key is plausible for the stated purpose, but it was not declared.
Instruction Scope: concernRuntime instructions tell the agent to run npx @signet-base/cli commands and to curl an external API (https://signet.sebayaki.com). They explicitly instruct using a private key to submit payments. This is within the functional scope, but the instructions cause network calls and remote code execution (via npx) and ask the agent to handle a sensitive secret (PRIVATE_KEY). The SKILL.md also describes the full 402 payment flow (including signing) — meaning an agent following the doc may create and transmit signed payment material. The instructions access an environment variable (PRIVATE_KEY) that is not declared in the skill metadata, which is a scope mismatch.
Install Mechanism: noteThere is no install spec (instruction-only), but the guide directs use of npx which will fetch and execute package code from the npm registry at runtime. That is a normal developer pattern for CLIs but it means code will be pulled from the network and executed when used. The referenced API host (signet.sebayaki.com) and npm package (@signet-base/cli) are not validated or linked to a known homepage in the registry metadata, so provenance is unverified.
Credentials: concernThe only sensitive credential implied by the instructions is a private key for signing onchain payments (PRIVATE_KEY). Requesting a private key is proportionate to the task of creating onchain payments, but the skill metadata does not declare this environment variable or any primary credential. That omission makes it unclear how the skill expects to receive or protect secrets. No other unrelated credentials are requested.
Persistence & Privilege: okThe skill does not request persistent presence (always:false), does not provide install scripts, and has no config paths or system modifications. It does not ask to modify other skills or system-wide settings.