Lance
PassAudited by ClawScan on May 1, 2026.
Overview
Lance is a coherent Web3 audit/reporting skill with purpose-aligned local helper scripts and no evidence of hidden credential use, exfiltration, persistence, or destructive behavior.
This skill appears safe for its intended purpose. Before installing, verify the source package and be aware that its helper scripts can read and write local files you explicitly provide for Web3 audit workflows.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may run local Python utilities against user-provided files and write generated manifests or reports.
The skill directs use of bundled Python helper scripts. This is expected for its local audit/report workflow, but users should recognize that installing the skill includes runnable local code.
Parse scope docs with `scripts/parse_web3_scope.py` ... Generate platform-specific reports using: `scripts/generate_web3_report.py`
Use the scripts only on intended audit files, review output paths before writing files, and keep normal local-file safety practices.
Users have less registry-level provenance information to confirm they are installing the intended package.
The registry metadata does not provide a verified source or homepage, even though the skill text references a GitHub repository. This is a provenance/completeness note rather than evidence of malicious behavior.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Verify the package source and contents before installation, especially if installing from a repository rather than a trusted registry package.