Skillv1.4.0

ClawScan security

Fuego · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 1, 2026, 7:23 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared requirements and runtime instructions mostly match a local Solana wallet, but several design choices (unencrypted local private key file, server-side signing exception, and implicit npm/cargo installs) are risky or deserve closer review before use.
Guidance: This skill is functionally coherent for a local Solana wallet, but it has security trade-offs you should evaluate before installing: - Do not install blindly from npm: verify the package owner, repository URL, and package contents (or prefer installing from a vetted release). Ask for the exact npm package name, publisher, and checksum; inspect the code before running `npm install -g` or `cargo build`. - The wallet stores a private key in ~/.fuego/wallet.json as unencrypted JSON. Treat this as highly sensitive: do not put large funds into this wallet until you audit the code. Prefer an encrypted key or hardware wallet when possible. - The local server binds to 127.0.0.1:8080 and exposes signing endpoints. Ensure the server really binds to localhost, keep file permissions strict (chmod 600), and run it only on machines you control. Consider firewall rules to block remote access. - The /x402-purch endpoint requires the server to sign server-side — this deviates from the "private keys never leave your machine" claim. Only use this feature if you trust the code and understand the temporary server-side access model. - The Jupiter API key is stored in ~/.fuego/config.json; treat it like any API secret and store accordingly. If you do not need swaps, avoid configuring the key. If you want to proceed, request the npm package name and repository, review the source (especially wallet loading/signing code and backups), and consider running the CLI/server in an isolated environment (VM/container) with minimal funds for testing.

Review Dimensions

Purpose & Capability: noteName/description align with the instructions: it is a local Solana wallet + local server for building/submitting transactions and optional Jupiter swaps. The declared required binaries (node for npm CLI, cargo for building the Rust server, curl for API testing) are consistent with the described workflow. However the SKILL does not declare the external npm package it expects to install, and the instructions expect the user to install and run code from npm and to build Rust code locally — these are reasonable for this purpose but worth verifying (publisher, package integrity).
Instruction Scope: concernThe runtime instructions explicitly tell agents to read and use a local private-key file (~/.fuego/wallet.json) described as "simple JSON, no password!" and to sign transactions locally. That is within the wallet's purpose but is a high-risk design choice: storing an unencrypted key and instructing automated agents to load it grants broad signing ability to anything that can access that path or call the local server. The special-case /x402-purch endpoint performs server-side signing (the server temporarily accesses the key), which is a scope creep/security exception compared with the rest of the model and requires strong scrutiny.
Install Mechanism: noteThere is no registry install spec, but the SKILL instructs the user to run `npm install -g fuego-cli` and to build a Rust server with Cargo. Fetching and installing an npm package and compiling Rust source are normal for a CLI/server workflow but carry supply-chain risk: You are installing code from the npm registry and building Rust code locally (both could execute arbitrary code). The skill does not include checksums, repository links, or a pinned publisher, so verify the npm package and source before installing.
Credentials: concernThe skill declares no required environment variables, which fits. But it instructs storing sensitive secrets (private keys) in an unencrypted JSON file and storing an optional Jupiter API key in ~/.fuego/config.json. Requiring an unencrypted wallet file is disproportionate from a security perspective: the skill design grants powerful local signing ability without protective secrets or hardware-wallet integration. The number of sensitive artifacts (wallet.json, backups) is small but highly privileged.
Persistence & Privilege: notealways:false and no special platform privileges are requested, which is appropriate. The skill runs a localhost server (127.0.0.1:8080) that can sign/broadcast transactions; that is normal for a local wallet but creates an attack surface if the host exposes the port or if other local processes are malicious. Autonomous agent invocation is allowed (platform default) — combine that with the unencrypted key file and the risk increases if agents are given permission to call the local endpoints without human confirmation.