Back to skill
Skillv0.1.1
ClawScan security
Aster Futures · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 3, 2026, 10:00 PM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill appears to be a legitimate trading helper but is internally inconsistent: it requires ECDSA signing with a private API wallet (high-privilege secret) yet declares no credentials or mechanism for providing that secret, which is a concerning omission.
- Guidance
- This skill is 'suspicious' because it needs your API wallet private key to sign trade requests but does not declare how it will get or store that secret. Before installing or using it: 1) Do not paste your main wallet private key into chat or into the agent; prefer a dedicated API key/wallet with minimal permissions. 2) Ask the author how credentials are provided (env vars, vault, or interactive prompt) and request explicit metadata declaring required env vars. 3) If you must test, use a testnet or a dedicated account with zero funds and IP/permission restrictions. 4) Disable autonomous invocation (or require manual approval) so the agent cannot place or cancel orders without your explicit confirmation. 5) Prefer a signing workflow that uses remote/hardware signing or a short-lived delegated credential rather than exposing raw private keys.
Review Dimensions
- Purpose & Capability
- concernThe skill's stated purpose (placing and querying futures orders via Aster's API) legitimately requires EIP-712 signing and access to an API wallet private key. However, the registry metadata declares no required environment variables or primary credential even though the included authentication reference and examples explicitly use SIGNER_PRIVATE_KEY and wallet addresses. That mismatch (needing a private key but not declaring how it will be supplied) is incoherent and disproportionate.
- Instruction Scope
- concernSKILL.md and references/authentication.md instruct the agent to call fapi.asterdex.com endpoints, use curl/jq for data extraction, and perform EIP-712 signing. The authentication doc includes a Python example that embeds SIGNER_PRIVATE_KEY and demonstrates signing and posting orders (including placing/cancelling orders and 'cancel all' operations). The instructions do not specify how the agent should obtain/store the private key (env var, secure vault, user prompt), nor do they constrain when trade-affecting endpoints can be used. That lack of specification expands the agent's discretion and could lead to accidental or unauthorized use of high-privilege operations.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files to write to disk, which minimizes install-surface risk.
- Credentials
- concernThe skill requires signing with an API wallet private key to perform trading (highly sensitive). Yet the package metadata lists no required env vars, no primary credential, and no required config paths. There is no guidance in metadata about required secret scope or least-privilege credentials. The endpoints documented include destructive actions (placing orders, cancel all open orders), so requesting full private-key signing capability is high privilege and should have been explicitly declared and scoped.
- Persistence & Privilege
- noteThe skill is not marked always:true; it is user-invocable and allows model invocation (default). That means if the agent is given credentials it could act autonomously and place/cancel trades. Autonomous invocation alone is normal for skills, but combined with the missing credential declaration and high-privilege trading endpoints this increases the blast radius — the skill should document explicit runtime approval flows and credential handling.