Skillv1.0.1

ClawScan security

Bank Skills · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 16, 2026, 5:19 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches its stated features (Wise banking + on‑chain Base token operations) but contains persistent wallet management and private‑key export capabilities, lacks an explicit install spec for heavy blockchain dependencies, and mixes banking with on‑chain tooling in ways the user should explicitly approve before installing.
Guidance: Summary and recommendations before installing: - Understand the true capabilities: this skill will call the Wise API (requires WISE_API_TOKEN) and also create/manage an on‑chain wallet under ~/.clawbank for Base (encrypted keystore + sweep logs). These are separate surfaces—Wise API access does not magically move funds on‑chain without explicit transactions. - Sensitive artifacts created: the skill creates ~/.clawbank/wallet.json (encrypted keystore) and ~/.clawbank/sweep.config and append logs. It also exposes an export_private_key tool that will return the raw private key if invoked — do NOT call that unless you intend to reveal the key. - Least privilege for API tokens: give the Wise token the narrowest scope possible and enable Wise dashboard IP whitelisting and rotation. Treat WISE_API_TOKEN as sensitive. - Run in an isolated environment: because the skill executes network calls and interacts with wallets, run it on an isolated machine or container where you control dependencies rather than on a machine with other sensitive credentials. - Dependencies & runtime: pyproject lists heavy blockchain/network dependencies, but there is no install spec. Ensure Python >=3.10 and install dependencies (web3, eth‑account, httpx, etc.) in a virtualenv before running to avoid runtime errors. Note: code references an external uniswap_universal_router_decoder — verify availability. - Audit and limit actions: review code paths for any automated sweeping/buy operations and disable or require manual confirmation for expensive actions. Do not allow the agent to autonomously call buy_token or send_token unless you trust it and monitor transactions. - If you need only banking features: consider extracting or running only the Wise modules to avoid installing wallet/sweeper code. Confidence note: medium — the repository appears coherent with its stated purpose, but the combination of on‑chain wallet management, private‑key export, persistent artifacts, and missing automated dependency/install instructions raises enough concern that you should review and test the code in a controlled environment before using with real funds.

Review Dimensions

Purpose & Capability: noteName/description (Wise + on‑chain swaps on Base) matches the code: there are Wise client modules and separate wallet/sweeper modules for Base. Required credential (WISE_API_TOKEN) is appropriate for Wise operations; optional env vars (CLAWBANK_WALLET_PASSWORD, BASE_RPC_URL) are used for on‑chain features and are declared as optional in SKILL.md metadata. However, the README/SKILL.md implies an integrated flow (deposit → on‑chain swap) that is not a single atomic Wise→chain transfer—users should not assume Wise balances are automatically moved on‑chain without explicit instructions. Also the sweeper includes ClawBank‑specific hardcoded pool/hook parameters (domain‑specific behavior).
Instruction Scope: concernRuntime instructions and code read environment variables and create persistent files under ~/.clawbank (wallet.json, sweep.config, logs). The wallet module can export the private key (export_private_key is included as a tool in README/SKILL.md), which means the agent can produce the raw private key in responses if invoked. The SKILL.md claims the skill will not store API keys in code (true), but it does create and store an encrypted keystore and swap logs locally; those files are persistent and contain sensitive material (encrypted keystore, swap history). The code also depends on blockchain RPC and third‑party libraries (web3, uniswap decoder) which are executed at runtime.
Install Mechanism: noteThis is an instruction‑only skill (no install spec). The package contains Python source and a pyproject.toml declaring heavy dependencies (web3, eth-account, httpx, etc.), but there is no automated install step included in the metadata. That means runtime will require a Python environment with those packages already installed; absent that, runtime may fail. No direct downloads or obscure URLs are used, but missing dependency management increases friction and possible misconfiguration.
Credentials: noteThe only REQUIRED env var is WISE_API_TOKEN (appropriate for Wise API usage). The skill also reads optional env vars CLAWBANK_WALLET_PASSWORD and BASE_RPC_URL (declared as optional in SKILL.md). These are proportional to the on‑chain features. However, because the skill can export a wallet's private key and writes an encrypted keystore on disk, the combination of environment access and available tools increases the risk surface: a compromised agent session or careless use could leak the private key or reuse the wallet password elsewhere.
Persistence & Privilege: noteThe skill writes persistent files to the user's home (~/.clawbank): an encrypted keystore (wallet.json), sweep.config, and append logs. This persistence is expected for a wallet/sweeper, but it is a lasting footprint. always:false (not force‑installed) and it does not modify other skills' configs, which is appropriate, but users should be aware of the persistent keystore and logs created on first run.