Skillv1.0.8

ClawScan security

exploring-solana-with-solscan · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousMar 31, 2026, 7:47 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (querying Solscan Pro), but the package metadata omits the required API credential and does not declare runtime dependencies, which is an incoherence you should understand before installing.
Guidance: This skill appears to do what it claims (talk to the Solscan Pro API), but the registry metadata is missing important runtime requirements. Before installing: (1) confirm you will provide a SOLSCAN_API_KEY (the script will exit without it); (2) ensure the environment has Python and the 'requests' library or declare/install that dependency; (3) treat the API key as a secret — supply it only to trusted environments and consider using scoped/limited API keys; (4) review the included scripts locally (they are readable) and verify there are no additional network endpoints beyond pro-api.solscan.io; (5) if you expect strict metadata, ask the publisher to update the package to declare the required env var and any dependencies. If you cannot verify these points, avoid installing or run the skill in an isolated environment.

Purpose & Capability: noteThe name, SKILL.md, and the included scripts/solscan.py all consistently implement Solscan Pro API queries for accounts, tokens, NFTs, transactions, etc. The capabilities requested by the skill align with its stated purpose.
Instruction Scope: noteSKILL.md instructs the agent to call a local CLI wrapper (python3 scripts/solscan.py) and describes only Solscan API interactions. The instructions do not ask for unrelated files or system data. However, SKILL.md and the script require an API key for requests, which is not declared in the registry metadata.
Install Mechanism: okThere is no install spec (instruction-only with a bundled script). No remote downloads or archive extraction are used. The code is local and readable, lowering install-time risk.
Credentials: concernThe runtime script requires the SOLSCAN_API_KEY environment variable (and SKILL.md specifies a Solscan API key) but the registry metadata lists no required env vars or primary credential — a clear mismatch. Also the script depends on the Python 'requests' package, but no dependency or runtime requirements are declared in metadata.
Persistence & Privilege: okThe skill is not marked always:true and does not request persistent system-wide privileges. It can be invoked autonomously per platform defaults (disable-model-invocation is false), which is expected for skills and not flagged on its own.