Pluginv1.0.1

ClawScan security

Gensyn Delphi Skills · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 22, 2026, 6:46 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (Delphi market tooling) is plausible, but the bundle manifest and runtime instructions disagree about which sensitive environment variables are required and how the agent may access them — that mismatch and over-broad env requirements are concerning.
Guidance: This skill appears to implement the advertised Delphi market functionality, but there are important mismatches around secrets and runtime behavior you should resolve before installing. What to check before installing: - Inspect openclaw.bundle.json and confirm which environment variables are actually required. It should not require both WALLET_PRIVATE_KEY and Coinbase CDP secrets at once; those should be conditional based on the chosen signer. - Decide whether you'll run the skill locally (recommended) or let an agent run it. If running locally, keep private keys/CDP secrets only in your environment or a secure secret store — never paste them into chat. - If you plan to let the agent invoke scripts on your host, be aware the SKILL.md forbids the agent from reading .env, but running the scripts requires those env vars in the process environment. Clarify with the developer how secrets are expected to be provided to the runtime. - Prefer using the CDP (server wallet) option if you can, since it avoids exposing raw private keys to the agent, and verify the CDP claims in the SDK docs. - Ask the maintainer to fix the bundle manifest to: (a) mark only DELPHI_API_ACCESS_KEY as primary required env, (b) make signer-related variables optional/conditional, and (c) document precisely whether the agent will ever access secrets. If you cannot verify these points, treat the skill as read-only (use only market listing / quoting / subgraph queries) and do not provide private keys or CDP secrets to the environment used by the agent.
Findings: [openclaw.bundle.json:requires.env] unexpected: The bundle manifest marks multiple signing-related secrets (WALLET_PRIVATE_KEY and multiple CDP_* secrets) as required. The SKILL.md documents that only one signing option is necessary (private key OR CDP server wallet), so requiring all of them is disproportionate and likely a manifest error or misconfiguration.

Review Dimensions

Purpose & Capability: noteName/description (market listing, quoting, trading, on-chain queries) align with included scripts and SDK dependency (@gensyn-ai/gensyn-delphi-sdk). However the bundle manifest (openclaw.bundle.json) declares a set of required environment variables that includes both private key and Coinbase CDP secrets — this list appears to require all signing options simultaneously instead of one chosen option, which is disproportionate to the documented purpose.
Instruction Scope: concernSKILL.md instructs the agent never to read the .env file and to ask the user to create one (treating secrets as off-limits to chat), yet also expects scripts (scripts/*.ts) to run using those environment values. The instructions hand responsibility back to the user but the bundle's required env config implies the agent/environment should already have these secrets available. This is an incoherent directive: either the agent must be granted secrets to run on-chain transactions, or it must remain read-only.
Install Mechanism: okNo custom or remote install step is provided beyond standard npm install. Dependencies (SDK, dotenv, viem) are expected for this functionality and no downloads from untrusted URLs or extract/install steps are present.
Credentials: concernopenclaw.bundle.json lists DELPHI_API_ACCESS_KEY, WALLET_PRIVATE_KEY, CDP_API_KEY_ID, CDP_API_KEY_SECRET, CDP_WALLET_SECRET, CDP_WALLET_ADDRESS as required env vars; SKILL.md documents that the user should supply either a private-key signer or a Coinbase CDP server wallet (one or the other). Marking all of these as required (instead of conditional/optional) is excessive and risky because it asks for multiple unrelated sensitive credentials. The skill also claims registry metadata had no required env vars — another mismatch.
Persistence & Privilege: okThe skill is not always-enabled (always: false) and does not request any unusual persistent privileges. It does not declare system config path access or modification of other skills. Autonomous invocation (disable-model-invocation: false) is normal for skills and not by itself flagged.