Skillv1.0.7

ClawScan security

Tmp.TjV0AQIrmN · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 6, 2026, 2:56 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement a DeFi research and client library for the KNAB/AIMS vaults and its requirements and instructions are broadly consistent with that purpose, but there are a few implementation/metadata mismatches and practical risks (private keys, referral calls, tiny pool sizes and marketing claims) you should understand before use.
Guidance: This skill is a coherent KNAB/AIMS on-chain research and client library: its code and instructions line up with its claims. Before installing, consider: (1) Read-only mode is default — never provide your private key unless you explicitly want the skill to send a transaction; prefer ephemeral signing (hardware wallet, walletconnect) rather than handing a raw private key to the agent. (2) The skill includes referral/invite functions — if you authorize writes you could automatically set referral codes that benefit the operator. (3) Some pools listed have very small reserves (e.g., 0.4 or 4.6 units) and the README uses aggressive yield language — independently verify contract source on the listed block explorers and do your own risk checks. (4) The registry metadata claimed 'instruction-only' but the bundle contains compiled JS/TS files — that mismatch is benign but worth noting. If you plan to allow any write actions, only proceed after manual review of the contract addresses on-chain and using secure signing methods; if you want purely read-only analysis, deny write authorization and avoid giving signing keys.

Review Dimensions

Purpose & Capability: okName/description (KNAB/AIMS vault research & operations) match the included JS/TS code and tokens.json which provide RPC endpoints, contract addresses, read-only probes and write methods (deposit/withdraw/refer). Required binaries (node, curl/wget) are reasonable for a JS-based on-chain tool. The presence of functions that accept a private key (Knab constructor) is expected for a client library that can perform transactions.
Instruction Scope: noteSKILL.md confines the agent to read-only by default, requires explicit human authorization for writes, and points to tokens.json for addresses/RPCs — this matches code behavior. Note: write methods (deposit, withdraw, setInviteCode, acceptInvite, refer) exist in the code; performing them requires supplying wallet credentials to the agent at runtime. The SKILL.md instructs never to persist wallet credentials, but the runtime relies on the agent/human to follow that rule. Also, the skill triggers on many keywords (including financial advice like 'what should I invest in'), which grants it broad activation scope when those keywords appear.
Install Mechanism: okNo install spec / download step is present (low risk). The bundle includes compiled JS/TS and a tokens.json file so the skill is not purely 'instruction-only' despite metadata saying 'instruction-only' — the code is bundled rather than fetched at install time. There are no external or obfuscated download URLs in the bundle.
Credentials: noteThe skill declares no required environment variables or credentials, which is proportionate for read-only queries. However, to execute writes the code expects a private key or signer (constructor accepts privateKey). That is reasonable but sensitive: the skill does not request environment-stored credentials but will require the user to provide wallet credentials at transaction time. Also the code exposes referral/invite methods (setInviteCode, acceptInvite, refer) — these are coherent with the protocol but mean the skill can participate in referral flows if the user enables writes.
Persistence & Privilege: okalways:false and normal autonomous invocation settings. The skill does not request system-wide privileges, nor does it request to modify other skills. There is no evidence in the provided files of attempts to persist credentials to disk or modify agent config, though the bundle relies on the agent following the SKILL.md rule not to store wallet keys.