Back to skill
Skillv0.2.1
ClawScan security
Build apps with Bitcoin and Stablecoins on Arkade · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 25, 2026, 6:41 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only development guide for the Arkade TypeScript SDK that is internally consistent with its stated purpose and does not request extra credentials, installs, or privileged persistence.
- Guidance
- This skill is a documentation-style developer guide and appears coherent with that purpose. If you plan to use the referenced packages, verify the npm packages (@arkade-os/sdk, @arkade-os/skill, @arkade-os/boltz-swap) and their maintainers on the official registry, confirm the arkade and boltz endpoints are correct, and avoid hardcoding private keys (use a secure KMS). Because the skill is instruction-only, risk comes from following its external commands (npm installs, network calls) — review package sources, check package versions and lockfiles, and test in an isolated/dev environment before using with real funds.
Review Dimensions
- Purpose & Capability
- okThe name/description (Arkade SDK, wallets, Lightning, swaps) matches the content: code snippets, SDK usage, and API endpoints for Arkade and Boltz. Nothing in the file asks for unrelated capabilities or credentials.
- Instruction Scope
- okSKILL.md contains sample TypeScript usage, npm install commands, and API endpoint references. It does not instruct the agent to read system files, environment variables, or transmit arbitrary data outside the documented Arkade/Boltz endpoints.
- Install Mechanism
- okNo install spec or bundled code is provided; this is instruction-only. The guide references installing npm packages (normal for a developer guide) rather than downloading arbitrary artifacts.
- Credentials
- okThe skill declares no required environment variables or credentials. The content responsibly warns not to hardcode private keys. No disproportionate credential access is requested.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system presence or modify other skills/config. Autonomous invocation is allowed by default but not combined with other red flags.