Trust Assessment
clawdvine received a trust score of 50/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Hardcoded Bearer Token detected, Unpinned npm dependency version, Skill requires and uses EVM private key for on-chain transactions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Skill requires and uses EVM private key for on-chain transactions The skill's documentation (`SKILL.md`) and bundled scripts (`scripts/check-balance.mjs`, `scripts/sign-siwe.mjs`, `scripts/x402-generate.mjs`) explicitly instruct the user to provide an `EVM_PRIVATE_KEY` environment variable. This private key is then used to derive wallet addresses, sign SIWE messages for authentication, and sign x402 payments for on-chain transactions. Exposing an EVM private key grants full control over the associated cryptocurrency wallet, including all funds and assets. This poses a critical risk of financial loss if the private key is compromised, mishandled, or if the LLM environment is not sufficiently secured to prevent its exfiltration or misuse. For users: Exercise extreme caution. Use a dedicated, low-value wallet for this skill. Never use a main wallet's private key. Ensure the environment where the private key is exposed is highly secure and isolated. For developers: Explore alternative authentication/payment methods that do not require direct exposure of a private key to the agent's environment (e.g., delegated signing services, secure hardware modules, or user-initiated wallet prompts outside the agent's direct control). If direct private key usage is unavoidable, clearly document the severe risks and provide strong warnings to users. | LLM | SKILL.md:140 | |
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/c0rv0s/clawdvine/clawdvine-skill-1.1.0/SKILL.md:47 | |
| MEDIUM | Unpinned npm dependency version Dependency '@x402/evm' is not pinned to an exact version ('^2.2.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/c0rv0s/clawdvine/clawdvine-skill-1.1.0/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/423883d6bfb64f45)
Powered by SkillShield