ClawHub
Back to skill
v1.0.0

Near Faucet

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:28 AM.

Analysis

This appears to be a straightforward NEAR testnet faucet helper with disclosed network calls and no credential, file, or persistence behavior, though its docs and metadata slightly overstate or under-declare some details.

GuidanceThis skill looks safe for simple NEAR testnet faucet use. Be aware that it contacts NEAR testnet services with the account ID you provide, and the advertised status/rate-limit features do not appear to be implemented locally.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
scripts/faucet.js
hostname: 'wallet.testnet.near.org', path: '/api/faucet', method: 'POST' ... JSON.stringify({ account_id: accountId })

The command sends the provided NEAR testnet account ID to the disclosed faucet endpoint to request tokens. This is purpose-aligned, but it is still an external account-related action users should recognize.

User impactUsing the request command shares a testnet account ID with the NEAR faucet and may submit a token request for that account.
RecommendationUse it only with intended NEAR testnet accounts and confirm before asking the agent to request tokens.
Human-Agent Trust Exploitation
SeverityInfoConfidenceHighStatusNote
SKILL.md
- Check faucet request status
- Rate limiting per address
...
### `near-faucet status [request_id]`

The documentation advertises status checking and rate limiting, but the included CLI code only implements request and balance and shows no local rate-limit tracking. This looks like a documentation/functionality mismatch rather than malicious behavior.

User impactUsers may expect local status and rate-limit protections that are not actually implemented by the included script.
RecommendationDo not rely on this skill for local rate-limit enforcement or status tracking unless those features are added and reviewed.