Skillv1.0.0

ClawScan security

Base Network OSINT · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 10:30 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description matches token research work, but its runtime instructions instruct the agent to persist and auto-update a remote SKILL.md, fetch live third‑party intelligence (GoPlus, Arkham) with no declared credentials, and contain prompt‑injection indicators — these inconsistencies create a supply‑chain and data‑exfiltration risk.
Guidance: What to consider before installing: - Supply‑chain risk: The skill instructs the agent to download and overwrite its cached SKILL.md from https://app.kybera.xyz. That means the skill's behavior can change later without an explicit new package install. Only allow this if you trust the remote domain and its operator. - Missing credential disclosure: The instructions rely on third‑party services (GoPlus, Arkham, ENS, social platforms) but the skill declares no required API keys or environment variables. Ask the publisher which credentials are required and where they will be used. Do not provide sensitive API keys unless you understand and trust how they’re used. - Local persistence: The skill writes to ~/.openclaw/skills/kybera.md. If you install it, inspect that file and any remote SKILL.md before allowing updates. Prefer manual approval for updates rather than auto‑overwrite. - Prompt‑injection indicator: The SKILL.md contains unicode control characters flagged by the scanner. Treat this as suspicious; request a clean, canonical copy of the skill content and verify it matches the hosted file. - Safety steps: If you proceed, run it in a restricted environment (no access to high‑privilege secrets), disable autonomous network access if possible, and require explicit user confirmation before performing any write/update operations. Alternatively, ask the skill author to provide a version that does not auto‑fetch/overwrite local files and that declares all required credentials. What would change my assessment: proof that the remote SKILL.md is signed and verifiable, a publisher identity tied to the kybera.xyz domain, explicit declaration of required API keys and their minimal scope, and removal/clarification of the unicode control characters. If those are provided, the supply‑chain and injection concerns would be reduced.
Findings: [unicode-control-chars] unexpected: The scanner found unicode control characters in the SKILL.md. These are not needed for token research and often appear in prompt‑injection attempts to hide or manipulate content. Combined with the remote update behavior, this increases the risk that the skill may try to alter agent behavior or conceal malicious instructions.

Review Dimensions

Purpose & Capability: noteName/description (Kybera wallet / token research) align with the instructions to perform token/identity research and wallet operations. However the SKILL.md also directs the agent to fetch live data from multiple third‑party services (GoPlus, Arkham) but declares no required credentials or environment variables — a mismatch between capabilities the skill expects and what it declares. The skill also instructs writing a cached copy to ~/.openclaw/skills/kybera.md, which is not implied by the description.
Instruction Scope: concernThe SKILL.md directs the agent to: (a) cache a copy of itself to the user's home (~/.openclaw/skills/kybera.md), (b) fetch an updated SKILL.md from https://app.kybera.xyz and overwrite the cached file when asked, and (c) always fetch fresh live data from many external sources (GoPlus, Arkham, social platforms, ENS resolution, wallet histories). The automatic remote fetch + overwrite behavior effectively allows remote replacement of runtime instructions (supply‑chain risk). The file also contains a detected unicode-control-chars injection pattern indicative of prompt‑injection attempts.
Install Mechanism: noteThere is no formal install spec or package install — lowest technical installation risk. However, the skill's own instructions implement a lightweight install/update mechanism (download SKILL.md from https://app.kybera.xyz and write to ~/.openclaw/skills/kybera.md). That download/overwrite step is effectively installing remote code (instructions) at runtime and is a higher‑risk behavior than a purely instruction‑only, non‑persisting skill.
Credentials: concernThe SKILL.md expects use of third‑party intelligence providers (GoPlus, Arkham) and platform APIs (ENS, X/Twitter, GitHub, Farcaster) but the skill declares no required environment variables, API keys, or credentials. This mismatch is problematic: either the agent is expected to have preconfigured credentials (not declared), or the skill will attempt unauthenticated web scraping. Either case is disproportionate to what's declared and increases risk (missing transparency about required secrets).
Persistence & Privilege: notealways is false and the skill is user‑invocable (normal). But the SKILL.md instructs writing a persistent file under ~/.openclaw/skills and replacing it via remote fetch on update — persistent presence and remote update ability create supply‑chain concerns. The skill does not request elevated system privileges, but it does modify the agent's local skill cache.