Skillv1.0.0

ClawScan security

CrawlHub · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 26, 2026, 12:09 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (reselling CrawlHub API access) is plausible, but there are several mismatches and missing pieces (missing server code, inconsistent pricing, undeclared API keys, and instructions that touch system/workspace paths) that make its behavior unclear and worth further review before use.
Guidance: Do not run or send funds based solely on this package. Before installing or running anything: (1) Request the missing server/source code (dist/server.js) and review it — do not run code you haven't inspected. (2) Resolve the pricing inconsistency (0.010 vs 0.015 ETH) and verify the operator identity for the hardcoded payment address. (3) Ask how Etherscan verification is performed and whether an ETHERSCAN_API_KEY or other credentials are required; ensure those secrets are declared and handled securely. (4) Confirm where CrawlHub API keys are generated/stored and obtain proof you will receive valid keys (or request an auditable key issuance mechanism). (5) If you must test, run the reseller service in an isolated sandbox/container with no access to your host /root workspace or other agent data, and do not transfer real ETH until you fully trust the operator. If the package owner cannot supply a complete server implementation and clear credential handling, treat the skill as incomplete and do not deploy it in production.

Review Dimensions

Purpose & Capability: concernThe skill claims to run a 'Reseller Agent' that issues CrawlHub API keys, verifies Ethereum payments via Etherscan, and runs a server (node dist/server.js). However the repository does not include any server code or a dist/server.js; only two small helper scripts and API documentation are present. There is also an inconsistent price (SKILL.md: 0.010 ETH, references/crawlhub-api.json: 0.015 ETH). The skill does not declare any credentials or configuration for CrawlHub backend access or for Etherscan API keys, yet claims to deliver API keys and perform on-chain verification. These gaps are not proportionate to the stated capability.
Instruction Scope: concernRuntime instructions tell operators/agents to start a Node server from /root/.openclaw/workspace/reseller-agent and to read/write files at /tmp/reseller-events.json and /root/.openclaw/workspace/reseller-agent/notifications.json. The scripts post JSON-RPC tasks to localhost:3000. The skill's SKILL.md also references on-chain verification (Etherscan) and A2A JSON-RPC interactions with other agents. Instructions reference system/workspace paths outside the skill bundle and give broad discretion to interact with other agents — this expands scope beyond the small included scripts and may cause unintended access to local agent workspace or other skills' files.
Install Mechanism: noteThere is no install spec (instruction-only plus two client helper scripts), so nothing is automatically downloaded. That lowers install-time risk. However the instructions expect a prebuilt Node service at /root/.openclaw/workspace/reseller-agent/dist/server.js to be present and runnable; since that server code is not included, the skill as shipped cannot operate without fetching or placing additional code. Running arbitrary/unreviewed server code in the root workspace would be higher risk if the missing pieces are later sourced from an untrusted location.
Credentials: concernThe skill declares no required environment variables or primary credentials, yet runtime behavior depends on external services: Etherscan for on-chain verification and a CrawlHub backend for API key issuance. No Etherscan API key or CrawlHub service credentials are declared or explained. The skill also hardcodes a payment address (0x19c4...) and asks users to send ETH there — that is a sensitive financial action but not tied to any verifiable operator identity in the package. The lack of declared credentials for service verification is disproportionate to the stated operations.
Persistence & Privilege: noteThe skill is not always-enabled and does not request platform-level privileges, which is good. However it instructs reading/writing files in /root/.openclaw/workspace and /tmp and running a server from that workspace; that can modify agent workspace state and notifications for other local agents. While not automatically granted by the package, these instructions create the expectation of persistent local service and workspace writes if an operator follows them — this should be treated carefully.