Skillv0.1.0

ClawScan security

last30days-surf · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 11:20 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and SKILL.md largely align with its stated purpose (30‑day social research) but the package metadata under‑declares required config/credentials and the code will read multiple env vars/config files (and can use paid surf calls), so there are coherence and proportionality concerns you should resolve before installing.
Guidance: What to consider before installing: - Full functionality requires a SURF_API_KEY and funding a surf wallet (USDC → surf wallet). If you provide that key you will be authorizing pay-per-use network calls to surf.cascade.fyi (including LLM inference endpoints) — expect costs and network traffic. - The package metadata does not list SURF_API_KEY or config paths even though SKILL.md and the code clearly read env and config files (~/.config/last30days-surf/.env, .claude/last30days-surf.env). Treat this as a metadata bug and prefer the SKILL.md instructions. - The code will opportunistically read many other env vars (Google/Gemini/OpenAI keys, X/Twitter cookie tokens, BSky creds, etc.) if present. To avoid accidental leakage or unexpected API usage, run the skill in a controlled environment (no unrelated keys in process env) or use the --mock flag to test locally first. - Auditing suggestions before use: (1) run python3 <skill-path>/scripts/last30days.py --mock to verify behavior without network; (2) inspect lib/surf_client.py and surf_adapters.py to confirm what endpoints are called and what headers are sent; (3) run the script in an isolated container or VM the first few times; (4) check and restrict permissions of config files (SKILL.md already suggests 600) and remove unrelated API keys from your environment when invoking the skill. - If you plan to use it, ask the publisher to: update registry metadata to declare SURF_API_KEY and the config paths, and document exactly which other env vars are optionally consumed. That will make the permission/credential model explicit and reduce surprise. Confidence note: The issues look like an engineering/packaging oversight (metadata under-reporting and permissive env reads) rather than clear malicious behavior, hence the overall 'suspicious' verdict with medium confidence. Additional certainty would come from a line-by-line audit of network call sites in the shipped Python modules and confirmation of whether any unexpected remote endpoints receive sensitive environment values.

Review Dimensions

Purpose & Capability: concernThe skill genuinely needs network access to many social/web endpoints and an optional SURF_API_KEY for full functionality — that matches the description. However the registry metadata lists no required env vars or config paths, while SKILL.md repeatedly instructs users to set SURF_API_KEY and to place config in ~/.config/last30days-surf/.env or .claude/last30days-surf.env. That mismatch (declared: none vs actual: SURF_API_KEY and config files) is incoherent and should be corrected.
Instruction Scope: concernRuntime instructions explicitly read process env and project/global config files, probe surf, and fall back to a reduced 'free baseline'. The SKILL.md also imposes many formatting/voice rules and instructs the agent how to behave (e.g., stop on 402 and walk user through wallet top-up). Reading user config files (~/.config/*, .claude/*) and scanning env is outside what the registry declared and broadens the surface area. Most of these actions are explainable for a research pipeline, but the explicit file reads and the wallet top-up workflow are notable and deserve user attention.
Install Mechanism: noteNo install spec is provided (agent runs the bundled Python scripts directly), which is low risk in terms of external binary downloads. However the skill ships ~66 code files (Python) that will run locally when invoked. There are no archive downloads or obscure external installers, but the code performs network calls to external services (surf.cascade.fyi, surf inference endpoints, GitHub, etc.).
Credentials: concernRegistry declares no required env vars, yet SKILL.md requires SURF_API_KEY for full functionality and documents config files to store it. The codebase (e.g., evaluate.py's create_eval_env) also reads many other API keys/tokens if present (GOOGLE_API_KEY/GEMINI_API_KEY, OPENAI_API_KEY, XAI_API_KEY, SCRAPECREATORS_API_KEY, CT0, AUTH_TOKEN, BSky credentials, etc.). That indicates the skill may opportunistically use other credentials present in the environment — this is a proportionality/privacy concern and should be made explicit in metadata and docs.
Persistence & Privilege: notealways:false (no forced persistent installation) which is appropriate. The skill does read/write config files under ~/.config/last30days-surf and caches evaluation artifacts (judgments cache), so it will create local state. It does not request elevated platform privileges or modify other skills' configs, per the provided files.