Back to skill
Skillv1.0.0
ClawScan security
ape-claw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 15, 2026, 3:26 PM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions and installation steps ask for sensitive secrets (private keys, agent tokens) and recommend running an untrusted install script, but the registry metadata does not declare these environment requirements — the pieces are internally inconsistent and warrant caution.
- Guidance
- Do not run the suggested curl|bash installer or provide your private key or tokens until you verify the upstream project. Before installing: (1) inspect the GitHub repository and the exact install.sh contents for malicious commands; (2) confirm the repo owner and releases (signed releases are safer than raw URLs); (3) require the skill/registry to declare the env vars it needs (why are none listed even though SKILL.md lists several); (4) if you must test, use a sandbox or throwaway wallet with minimal funds and no long-lived keys; (5) prefer installing from a vetted package or reviewing the code locally rather than piping a remote script to bash; (6) consider rejecting or requesting the maintainer to add an install spec and explicit env var declarations in registry metadata.
Review Dimensions
- Purpose & Capability
- noteThe declared purpose (ApeChain NFT quoting/simulating/buying and bridging) matches the CLI commands and workflows in SKILL.md. Requesting an execution-capable private key (APE_CLAW_PRIVATE_KEY) and agent tokens is coherent with performing on-chain buys and autonomous bot actions, but the registry metadata lists no required env vars/primary credential despite SKILL.md naming several sensitive variables — that mismatch is unexpected.
- Instruction Scope
- concernThe SKILL.md explicitly instructs operators/agents to run arbitrarily downloaded installers (curl | bash) and to set sensitive env vars (agent id/token, OPENSEA_API_KEY, APE_CLAW_PRIVATE_KEY). It also references telemetry/Relay API and auto-injection of a shared OpenSea key; these imply remote network calls and potential transmission of identifiers/keys. The instructions permit autonomous execution flags (e.g., --autonomous) which combined with private-key-based execute paths increases blast radius.
- Install Mechanism
- concernThere is no formal install spec in the registry, but SKILL.md tells users to run `curl -fsSL https://raw.githubusercontent.com/simplefarmer69/ape-claw/main/install.sh | bash` and suggests `npx github:...` as fallback. Advising curl|bash from a raw GitHub URL (and installing arbitrary code via npx from a GitHub repo) is high-risk because it executes remote code with local privileges and the repo/installer are not verified in the registry metadata.
- Credentials
- concernThe registry claims no required env vars or primary credential, yet SKILL.md requires APE_CLAW_AGENT_ID, APE_CLAW_AGENT_TOKEN, OPENSEA_API_KEY, and APE_CLAW_PRIVATE_KEY (the latter required for any --execute path). Asking for a private key and agent token is functionally necessary for transaction execution, but the omission from declared requirements is a significant inconsistency and increases the chance of surprise credential exposure.
- Persistence & Privilege
- notealways:false (not force-included) and default autonomous invocation are retained. The installer the skill instructs to run would likely install a persistent CLI and may store tokens locally, but the skill does not request elevated OS-level privileges explicitly. Combined with the private-key/agent-token requirements, autonomous invocation could allow the agent to initiate real transactions — a risky combination but not an inherent privilege escalation by itself.