Skillv1.0.0

ClawScan security

solclaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:12 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (name-based Solana USDC payments) matches the instructions, but the runtime guidance relies on fetching/running third‑party CLI code (npx/solclaw CLI), encourages exporting/importing private keys and automating payment actions (cron/heartbeat/permissionless 'execute'), and points to an external API domain — these practices increase risk and deserve verification before you use it.
Guidance: This skill appears to do what it says, but it relies on running a third‑party CLI (npx solclaw-cli / solclaw) and on an external API (solclaw.xyz). Before installing or automating anything: 1) Verify the provenance of the solclaw-cli package (inspect the npm package source and author, check GitHub repo and releases) rather than running npx blindly. 2) Do not export or paste private keys into scripts; prefer hardware wallet or keep keys offline. 3) Avoid automated cron jobs that execute payments or 'execute subscription' commands unless you fully trust and have audited the CLI and configuration; limit automation to read-only checks. 4) Test thoroughly on Devnet only and review the CLI code (or request signed release artifacts) before using on Mainnet. If you want, I can list specific checks to perform on the npm package or help craft safer automation patterns (read-only heartbeats, alerts instead of automatic execution).

Review Dimensions

Purpose & Capability: okThe name, description, and commands are coherent: a CLI-based, non-custodial Solana USDC payments tool would need to manage keypairs, register on-chain, query balances, and send transactions. Program IDs and USDC mint are provided and the network is explicitly Devnet, which matches the stated purpose.
Instruction Scope: concernThe SKILL.md instructs the agent to import/export private keys, store keys at ~/.config/solclaw/keypair.json, run commands that sign transactions locally, and suggests automation (heartbeat, cron). It also references external API endpoints (solclaw.xyz). Automatically executing subscription/pay commands or running export commands (which can output raw private keys) increases the risk of accidental or automated fund transfers and key leakage. The instructions grant broad discretion (run cron, run heartbeats) that could cause side effects if misused.
Install Mechanism: noteThere is no install spec (instruction-only), which is lower risk, but the docs instruct use of npx solclaw-cli and assume a 'solclaw' binary — npx implicitly downloads and runs code from npm each time. The skill does not declare or vet that package or provide checksums/known-good sources. That implicit remote code execution via npx and the use of curl against solclaw.xyz are installation/runtime actions you should verify before running.
Credentials: noteThe skill requests no environment variables or credentials, which is proportionate. However the runtime guidance deals directly with highly sensitive secrets (private keys, base58 keys, keypair files) and instructs exporting/importing them. That handling is expected for a wallet tool but it's sensitive: exporting keys, storing them on disk, or piping command outputs to scripts increases exposure and should be treated carefully (prefer hardware wallets or read-only automation).
Persistence & Privilege: notealways:false and no persistent install are appropriate. However the included heartbeat.md and examples recommend cron jobs and long‑running automation that would periodically query state and (implicitly) could execute payments or subscriptions. Persisting an automated process that can trigger transactions increases blast radius — the skill itself doesn't request the privilege, but it explicitly encourages setting it up.