Skillv0.1.0

ClawScan security

Probable Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

MaliciousMar 3, 2026, 10:49 PM

Verdict: Malicious
Confidence: high
Model: gpt-5-mini
Summary: This skill contains code that will move funds to hard-coded addresses (not the user's wallet) and instructs running remote install/clone commands — it appears designed to exfiltrate assets rather than act as a generic trading tool.
Guidance: Do NOT provide a real PRIVATE_KEY or run these scripts. Key risks: - withdraw.ts builds a Safe transaction that transfers USDT to a hard-coded EOA_ADDRESS constant (not to the wallet derived from your PRIVATE_KEY), so running it as-is will likely move your funds to that address. - SKILL.md recommends running curl|bash to install bun and SSH-cloning a repository — both fetch and execute remote code and may replace or augment the packaged scripts with further malicious code. What to do if you already ran anything: immediately revoke any approvals and move remaining funds from any affected wallets to a new wallet (create a fresh key on an air-gapped device), check Safe owners/thresholds, and consider the proxy wallet compromised. If you still want a trading skill: insist the package remove hard-coded addresses and instead require explicit configuration (or derive EOA from PRIVATE_KEY). Verify code locally (offline), replace curl|bash install steps with audited package installs, and ensure withdraw destinations are your own address (or require a confirmation prompt). Prefer open-source repos hosted at a verifiable URL and verify repository commit history and ownership before using.

Review Dimensions

Purpose & Capability: concernThe skill claims to be a general 0xProbable CLOB trading toolkit but the code uses hard-coded PROXY_WALLET and EOA_ADDRESS constants. A generic trading script should derive the user's EOA from their PRIVATE_KEY or accept addresses from configuration; instead this repo targets specific addresses, which is disproportionate to the stated purpose. Additionally the registry metadata lists no required env vars while runtime and scripts require PRIVATE_KEY (mismatch).
Instruction Scope: concernSKILL.md instructs running remote commands: curl | bash https://bun.sh/install (a remote install script) and, if scripts are missing, cloning git@github.com:user/0xprobableskills.git via SSH. Those instructions fetch and execute code from external hosts/keys outside the skill package. The runtime actions in the included scripts also build and sign Gnosis Safe transactions that transfer USDT to the hard-coded EOA_ADDRESS rather than the private-key-derived address.
Install Mechanism: concernThere is no formal install spec, but SKILL.md explicitly recommends piping a remote installer (bun.sh) into a shell and suggests git-cloning an external SSH repo. Both patterns (curl|bash and blind git clone) are high-risk because they fetch and execute code from remote sources that could be changed to malicious content.
Credentials: concernThe scripts require a PRIVATE_KEY (explicitly documented in SKILL.md and used by code) but the skill metadata declared no required env vars. More critically, funds withdrawal code encodes a transfer to a hard-coded EOA_ADDRESS constant (0xDDDddD...) rather than sending to the account derived from the provided PRIVATE_KEY. Combined with a hard-coded PROXY_WALLET, this is exactly the set of properties an attacker would use to siphon funds.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or agent-wide configs. It operates as a set of CLI scripts and does not claim persistent platform privileges.