Skillv1.1.0

ClawScan security

Agentwallet Sdk · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 25, 2026, 7:33 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's high-level claims (spend-limit enforcement, ERC-6551, audits) do not match the provided instructions and metadata, and it asks the agent to run external npm packages and use private keys without declaring where or how credentials should be stored.
Guidance: Do not install or use this skill in a production agent until the author/source is verified. Ask for: (1) a repository or homepage and signed release artifacts so you can inspect the actual npm package (match package name, version, and author), (2) audited smart contract addresses and the specific on-chain mechanism implementing per-tx/day spend limits and how approvals are enforced, (3) explicit instructions for secure private key handling (recommended: hardware secure enclave or platform-managed secret store) and which environment variables or RPC/API keys are required, and (4) a clear threat model describing what the agent will be allowed to sign/submit automatically. If you must test, run it in an isolated sandbox with no real funds and monitor outbound network calls and filesystem access. If you cannot obtain clear answers and source code, treat the package as untrusted.

Review Dimensions

Purpose & Capability: concernMetadata/description claims spend-limit enforcement, ERC-6551 wallets, scoped operators and approval queues on Base, but the included SKILL.md shows examples for ERC-4337 smart accounts, basic transfers, Uniswap/CCTP operations and x402 payments with no code or prose implementing spend limits, approval queues, or ERC-6551. Version fields disagree (registry 1.1.0, skill.json 1.0.0, SKILL.md references npm v2.4.1). Homepage/source are missing. These inconsistencies mean the skill may not do what it claims.
Instruction Scope: concernSKILL.md instructs installing an external npm package and shows code that expects a privateKey variable (agent-held secret) and performs payments, swaps and bridging to arbitrary endpoints/chains. There are no concrete safeguards, no declared storage or approval workflow, and no instructions for enforcing per-tx/day budgets even though the top-level description emphasizes them. The instructions therefore give broad discretion to sign and send value without specified guardrails.
Install Mechanism: noteThis is an instruction-only skill (no install spec or code bundled), which is lower static risk, but the SKILL.md explicitly directs 'npm install agentwallet-sdk' — instructing the agent to fetch and run external code at runtime. npm is a well-known host, but the package version in the document differs from other metadata and no source/homepage repository is provided, increasing uncertainty about what will be installed.
Credentials: concernThe skill requests no environment variables or primary credential, yet its example usage requires a private key and blockchain RPC/API access (for payments, bridging, swaps). A wallet SDK that signs transactions typically requires secrets and provider endpoints; their absence from the declared requirements is disproportionate and unexplained. That gap increases the risk of ad-hoc secret handling or insecure prompts at runtime.
Persistence & Privilege: okThe skill does not request 'always: true' and does not claim to modify other skills or system-wide settings. Autonomous invocation is enabled (platform default), which is expected for an operational SDK, but this combined with the other concerns increases operational risk; by itself the persistence/privilege model is acceptable.