Back to skill
Skillv1.0.0
ClawScan security
aiusd-core · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 16, 2026, 2:36 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions match a trading CLI, but it tells the agent to fetch and run an npm package at runtime (npx), to execute follow-up steps without reconfirmation, and to potentially read mnemonic backup files — behaviors that are coherent with trading but carry substantial remote-code and financial risk.
- Guidance
- This skill is coherent with its stated purpose (a CLI trading toolkit) but carries non-trivial risks: it instructs the agent to fetch and run an npm package at runtime (npx), may read backup mnemonic files if asked, and directs the agent to execute CLI 'next_steps' without re-confirmation. Before installing, verify the npm package identity and source (official npm package name, publisher, and published code), prefer a pinned/versioned install rather than unpinned `npx -y`, require explicit user confirmation for every trade and for any restore-from-file action, and avoid allowing autonomous invocation for this skill unless you trust the package and have reviewed its code. If you plan to use it, ask the publisher for the package repository URL, a reproducible build or checksum, and details about how authentication tokens and mnemonic backups are stored and protected.
Review Dimensions
- Purpose & Capability
- okName/description, required binary (node), and CLI-focused instructions align: a trading/account-management skill legitimately needs node and a CLI entrypoint (npx aiusd-core). No unrelated credentials or binaries are requested.
- Instruction Scope
- concernThe SKILL.md instructs the agent to run npx -y aiusd-core (dynamic remote code execution), to follow CLI-provided 'next_steps' automatically without re-confirmation, and to use restore flows that accept a local mnemonic file path. Those steps expand the agent's effective privileges (can run whatever the npm package does, read a specified backup path) and can lead to executing additional actions without explicit user reconfirmation.
- Install Mechanism
- concernThere is no install spec, but runtime use of `npx -y aiusd-core` means the agent will fetch and execute code from the npm registry on demand. npx execution of an external package is a moderate-to-high risk vector (arbitrary remote code executed each run) and there is no integrity / pinned version or verifiable checksum provided in the skill.
- Credentials
- noteThe skill declares no required env vars, which is reasonable. However, the instructions imply handling authentication tokens, wallets, and optional mnemonic restore files (local path). Those are sensitive operations (wallet creation, token storage, and reading mnemonic backups) and the skill gives guidance for performing them but does not describe where tokens are stored or how file access is constrained.
- Persistence & Privilege
- concernalways:false (good), but the skill allows autonomous invocation (platform default). Combined with the ability to run `npx` (remote code) and the rule to auto-execute 'next_steps' returned by the CLI without re-confirmation, this creates a higher blast radius: the agent could autonomously run fetched code that performs trades or reads backup files. This combination raises operational risk for funds and secrets.