Skillv1.0.2

ClawScan security

Nova · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 25, 2026, 8:15 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only adapter for the nova CLI and its requirements/instructions are consistent with that purpose; the main residual risk is installing and running a third-party npm package at runtime (normal but requires trust).
Guidance: This skill appears to be what it claims: a set of safe, deterministic instructions for operating the nova CLI. Before installing or running it, verify the npm package and GitHub repository (author, recent releases, and trustworthiness). Prefer 'npx @mynthai/nova' to avoid a global install if you don't trust the package, and always use '--dry-run' and explicit user confirmation for any 'send' or 'withdraw' actions. Do not paste claim URLs, exported keys, or mnemonic phrases into shared chats or logs. If you need higher assurance, inspect the @mynthai/nova package source on GitHub/npm before allowing the agent to install or execute it.

Review Dimensions

Purpose & Capability: okThe name/description (operate the nova CLI wallet) match the SKILL.md guidance. Required runtime (Node.js 24 and the @mynthai/nova npm package or npx) is coherent for a Node-based CLI wrapper. There are no unrelated environment variables, binaries, or config paths requested.
Instruction Scope: okSKILL.md is narrowly scoped to deterministic parsing, network checks, balance checks, send/withdraw flows, and secret-handling guidance. It does not instruct the agent to read unrelated files, harvest environment variables, or transmit data to unexpected endpoints. It explicitly warns to treat claim links and keys as secrets.
Install Mechanism: noteThere is no registry install spec, but the runtime instructions tell the agent to run 'npm install @mynthai/nova' or use 'npx'. Installing/executing a third-party npm package is a normal way to get a CLI, but it does write and execute code from the public npm registry — verify the package and maintainer before allowing installation. Minor inconsistency: registry metadata lists no homepage/source while SKILL.md includes GitHub and npm URLs.
Credentials: okThe skill requests no environment variables or credentials. Instructions reference only nova's own config (e.g., 'nova config get network'), which is proportional to the wallet management purpose. Secret-handling rules are sensible and do not request unrelated secrets.
Persistence & Privilege: okalways is false and the skill is instruction-only, so it does not request permanent automatic inclusion or elevated platform privileges. The guidance to use npm/npx does not itself alter platform configuration (other than potential local/global package installation if the user chooses '-g').