Skillv1.0.1

ClawScan security

Trustless Workflow Automation on EVM networks for Agents (powered by Ditto Network) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 20, 2026, 7:31 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions require the user's private key and other sensitive actions but the registry metadata doesn't declare those environment requirements or a trusted source — the behavior is plausible for Ditto workflows but the mismatch and unknown provenance are concerning.
Guidance: This skill appears to implement Ditto network workflow deployment, but the SKILL.md requires you to provide a wallet PRIVATE_KEY and to upload workflow data to a specific Ditto IPFS endpoint — while the registry metadata lists no required environment variables or source homepage. Before installing or following these instructions: - Do NOT paste or store your main wallet private key into a .env on a machine you don't fully control. Prefer using a hardware wallet, a wallet-provider signing flow, or a temporary/testnet key. - Treat the requirement to supply a raw PRIVATE_KEY as sensitive. If you must test, use an ephemeral account with minimal funds on a testnet. - Verify the skill's provenance: find the official Ditto SDK repository and confirm the executor address and IPFS endpoint match official docs. The SKILL.md points to a GitHub repo, but the registry has no homepage — confirm the repo and author are legitimate. - Review the SDK code (and any session-permission generation) yourself or with an auditor to ensure the session keys grant only the minimal, expected permissions. - Confirm where any signed data or workflow metadata is uploaded (the specified IPFS_SERVICE_URL) and whether that service requires additional trust. Given the mismatch between declared requirements and the actual instructions plus unknown source, proceed cautiously; if uncertain, ask the publisher for an explicit explanation of why PRIVATE_KEY is not listed in the registry and request a verifiable homepage or repository link before use.

Review Dimensions

Purpose & Capability: noteThe name/description (Ditto on-chain workflow automation) matches the instructions (building, submitting, and funding Ditto workflows). However the registry metadata declares no required environment variables or credentials while the SKILL.md explicitly requires a PRIVATE_KEY and a specific IPFS_SERVICE_URL — this inconsistency is unexpected and reduces trust in the packaging.
Instruction Scope: concernThe SKILL.md instructs the agent/operator to check project files (package.json, .env), install the Ditto SDK if missing, create TypeScript workflow scripts, load a PRIVATE_KEY from .env, and submit workflows that delegate session permissions to an executor address. Asking for and using the owner's raw private key to create/sign session keys is sensitive. The instructions also require using a specific IPFS endpoint. The scope (reading project files, loading env secrets, uploading to IPFS) is coherent with the stated purpose but broad and sensitive — and the skill does not declare these requirements in its registry metadata.
Install Mechanism: okThis is an instruction-only skill with no install spec or bundled code — that lowers supply-chain risk. The SKILL.md tells the operator to run npm install for the SDK if missing, which is expected, but there's no packaged install step in the skill itself.
Credentials: concernThe runtime instructions require PRIVATE_KEY and IPFS_SERVICE_URL (with an exact URL). Requiring the owner's private key is sensitive but arguably necessary to sign workflows; however the registry lists no required env vars and no primary credential. That mismatch (sensitive credential required but not declared) is a red flag. Also ask whether the skill really needs raw private keys vs. a safer signing flow (wallet, hardware signer, or remote signer).
Persistence & Privilege: okThe skill is not always-enabled and does not request persistent or cross-skill privileges. It does not attempt to modify other skills or system agent settings per the provided data.