Back to skill
Skillv0.1.0
ClawScan security
Maestro Sdk · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 9, 2026, 3:58 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions mostly match its stated purpose (operating Maestro-managed Solana vaults) but they perform filesystem and secret handling, auto-initialize on load, and reference environment variables and paths that the skill metadata does not declare — that mismatch and auto-init behavior are concerning.
- Guidance
- This skill mostly does what it says (operate Maestro-managed Solana vaults), but it also generates/loads a private key, writes it to ~/.maestro/agent-keypair.json, and persists state to MEMORY.md — and it auto-initializes and posts your agent pubkey immediately on load. These actions are sensitive and are not declared in the metadata. Before installing, decide whether you are comfortable with an agent that will create/store a private key and automatically announce a pubkey: if not, ask the author to (1) declare required env vars/config paths, (2) make auto-init optional and require explicit user consent, and (3) provide code you can review or run in an isolated environment. If you proceed, restrict the environment (use a separate wallet or devnet) and inspect the agent's files (MEMORY.md and ~/.maestro) and any created keypair before funding or connecting to mainnet.
- Findings
[no-regex-findings] expected: The static regex scanner found no code-level patterns because this is an instruction-only skill (SKILL.md). That absence does not imply safety; the SKILL.md itself contains sensitive behaviors (key generation, file writes, env var use).
Review Dimensions
- Purpose & Capability
- noteThe name/description (Maestro SDK operator for Solana vaults) aligns with the instructions: discovery, health checks, and executeTransfer flows are coherent. However, the SKILL.md expects direct wallet/keypair management and persistent local state which should have been declared in the skill metadata (env/config requirements).
- Instruction Scope
- concernThe runtime instructions direct the agent to read SOLANA_PRIVATE_KEY env, check/write ~/.maestro/agent-keypair.json, and read/write MEMORY.md (persisting pubkey, vault, owner, network). Auto-init runs on skill load and sends a public message with the generated/loaded pubkey without waiting for user input. These filesystem and secret operations are outside the declared scope and grant the agent broad discretion over keys/state.
- Install Mechanism
- noteThere is no install spec in the registry (instruction-only), but the SKILL.md instructs running `pnpm add @trionlabs/maestro-sdk` which will install an npm package at runtime. Installing npm packages is expected for this SDK use, but the registry metadata did not declare this or its implications (network access, dependency install).
- Credentials
- concernDeclared metadata lists no required env/config, yet the instructions explicitly check SOLANA_PRIVATE_KEY and files under ~/.maestro. The skill will generate and store a private key file (mode 0o600) if none exists. Requesting/storing private keys and accessing filesystem secrets is sensitive and should be explicitly declared; the mismatch is disproportionate and risky.
- Persistence & Privilege
- concernAuto-Init executes on skill load (not optional) and will create or load an agent keypair, write it to disk, and persist MEMORY.md. Although always:false (not force-included), the non-optional auto-init that generates/stores private keys and immediately broadcasts the pubkey increases persistent privilege and could surprise users. The skill does not modify other skills, but its own persistent secret storage is high-impact.