Back to skill
Skillv0.1.1
ClawScan security
Beaconchain · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:46 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, declared requirements, and runtime instructions are consistent with its stated purpose of performing a daily beaconcha.in dashboard health check and only require the two expected environment variables plus python3.
- Guidance
- This skill is internally consistent and implements precisely what it claims: a small Python script that POSTs to beaconcha.in and reports a simple daily status. Before installing, ensure you trust beaconcha.in and are comfortable granting that API key to this script (treat BEACONCHAIN_API_KEY as a secret). Review/scan the included script in your environment before running, store the key in a secure secret store or environment isolated from other services, and consider creating an API key with minimal scope or a dedicated key for this monitoring use. If you plan to run it on a schedule (cron), run it in a restricted environment (non-privileged account, limited network access) and rotate the API key if you suspect compromise. Finally, the skill disables autonomous model invocation, so it will only run when you explicitly call it.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: the script POSTs to beaconcha.in performance-aggregate and reads BEACONCHAIN_API_KEY and BEACONCHAIN_DASHBOARD_ID. There are no unrelated binaries, hosts, or credentials requested.
- Instruction Scope
- okSKILL.md instructions align with the script: calls only the documented API endpoint, uses only env vars or CLI flags declared, prints JSON/concise outputs, and documents exit codes. The script does not read other files, spawn shells, or transmit data to other endpoints.
- Install Mechanism
- okNo install specification is provided (instruction-only with an included Python script). This is low-risk; the script appears self-contained and uses only Python standard library modules.
- Credentials
- okThe skill requires only BEACONCHAIN_API_KEY and BEACONCHAIN_DASHBOARD_ID (and python3). Those are appropriate and necessary for calling the beaconcha.in API. No unrelated secrets or config paths are requested.
- Persistence & Privilege
- okSkill is not always-enabled and sets disableModelInvocation=true (so the model will not autonomously invoke it). It does not modify other skills or system settings.