Back to skill
Skillv1.0.0
ClawScan security
BOB · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 14, 2026, 3:52 PM
- Verdict
- Review
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions contradict its own security claims, require running shell/node/npm commands that aren't declared, and tell the agent to always follow remote 'agentHint' responses — this combination is suspicious and warrants caution before providing any private key.
- Guidance
- Do not paste your long-term EVM private key into this skill. Key issues: (1) SKILL.md contradicts its own 'no shell/FS' security claim — it runs curl, node, and npm; (2) it tells the agent to always follow server-sent 'agentHint' values, which could cause the remote site to make the agent perform arbitrary actions; (3) required tools (node, npm, curl, ethers) are not declared in the manifest. If you still want to try it, use an ephemeral wallet with only the exact mint amount + gas, or use an external signer/hardware wallet so the private key never touches the agent process. Verify and audit the remote site (https://www.bobsmint.xyz) and prefer a flow where signing is done in a trusted wallet interface rather than pasting a private key into an agent-controlled runtime.
Review Dimensions
- Purpose & Capability
- concernThe skill claims no required binaries or env vars and explicitly states it "does not access your filesystem, run shell commands, or execute arbitrary code," but the SKILL.md instructs the agent to run curl, node, and npm commands and to run a Node signing script. Required tools (curl, node, npm, ethers) are not declared in the manifest — this mismatch is incoherent with the stated purpose/security model.
- Instruction Scope
- concernRuntime instructions ask the agent to: request the user's EVM private key, run shell curl requests, check for and possibly install the ethers package (npm install --prefix /tmp), execute a Node signing script, and — importantly — 'always read and follow the agentHint' returned by the API. Allowing an external server-supplied agentHint to be followed blindly gives the remote endpoint a channel to direct the agent to arbitrary actions, which is scope creep and a potential control/exfiltration vector.
- Install Mechanism
- noteNo formal install spec is provided, but the instructions include an ad-hoc install flow: checking for ethers with node -e and, if missing, running 'npm install --prefix /tmp ethers'. This writes to /tmp and modifies the runtime environment; using npm is standard but the skill failing to declare these requirements in the manifest is an implementation inconsistency.
- Credentials
- noteThe skill legitimately needs an EVM private key to sign a mint transaction, and it doesn't request unrelated credentials. However, it asks the user to provide their private key directly to the agent (no integration with a hardware wallet or external signer is described), which is high-risk in practice. The manifest declares no primary credential even though the private key is central to operation.
- Persistence & Privilege
- concernThe skill is not marked 'always' and does not request persistent privileges, which is appropriate. However, the instruction to 'always follow' remote agentHint combined with default autonomous invocation expands the remote server's effective control scope: the server can send instructions that the agent is told to execute. That combination increases risk and should be considered before enabling autonomous runs.