Skillv0.1.0

ClawScan security

EM-A2A · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 6:36 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (TRON A2A payments, escrow, credit checks) matches its declared env needs, but it instructs running a remote npm package (via npx) that would receive your private key and perform on-chain/online operations — a sensitive combination that warrants caution and code review before use.
Guidance: This skill appears to do what it advertises, but it requires handing a TRON private key to a remote npm package executed at runtime. Before installing or using it: (1) verify and audit the npm package and GitHub repo (check publisher, recent commits, and open-source code), (2) prefer using testnet (shasta) and never expose a production mainnet private key until code is reviewed, (3) consider using a signing service or a limited-scope hot wallet address rather than a full private key in env, (4) pin package versions (do not rely on floating 'latest'), (5) run the package in an isolated environment and monitor network traffic, and (6) if you need autonomous agent invocation with the key, remove autonomous invocation or rotate keys frequently. If you cannot audit the upstream package and backend services (credit/AML endpoints), treat this skill as high-risk and avoid giving it access to valuable keys.

Review Dimensions

Purpose & Capability: okName, description, and declared capabilities (payments, escrow, credit, identity on TRON) align with the declared environment variables A2A_NETWORK and A2A_PRIVATE_KEY and the provided toolset (@poisonpyf/a2a-mcp). The requested credentials are consistent with signing TRON transactions.
Instruction Scope: concernSKILL.md instructs configuring an MCP to run 'npx @poisonpyf/a2a-mcp' with A2A_PRIVATE_KEY in the environment. That means an external, remote package will run with access to the private key and can make arbitrary network calls. The instructions also imply third-party services (credit/leaderboard/AML) without specifying endpoints or data flows, leaving potential for unexpected data transmission.
Install Mechanism: noteNo formal install spec in the skill bundle, but the runtime instructions explicitly run a package from npm via npx. Executing remote npm packages at runtime is a moderate risk because it downloads/executes third-party code on demand; the package scope (@poisonpyf) is not a widely-known vendor, so upstream code should be audited before trusting it with keys.
Credentials: concernOnly A2A_NETWORK and A2A_PRIVATE_KEY are requested, which is proportionate to the stated blockchain payment function. However, the private key is highly sensitive — giving it to a runtime process you do not control (npx-invoked package) creates a high-exposure scenario. No mitigation (e.g., read-only wallet, signing service, or hardware key) is described.
Persistence & Privilege: notealways:false (normal). The skill permits autonomous model invocation (default), which combined with runtime execution of remote code and access to a private key increases blast radius if the package or upstream services are malicious or compromised. The skill does not request persistent system-level privileges or other skills' configs.