check-balance Security Report — Low Risk | ClawSafe

20 /100

check-balance

Check USDC balance across networks (Base, Solana)

A simple USDC balance checker using standard npm tooling with minor supply chain concerns around @latest tag usage and broad argument allowance.

Skill Namecheck-balance

Duration28.1s

Enginepi

✓

Safe to install

Pin the agnic package to a specific version instead of @latest to reduce supply chain risk. Consider narrowing the Bash tool permission to specific subcommands.

Findings 2 items

Severity	Finding	Location
Low	Unpinned npm package version Supply Chain The skill uses @latest tag for the agnic package, which could resolve to a malicious version if the package namespace is compromised. `npx agnic@latest status --json` → Pin to a specific version: npx [email protected]	`SKILL.md:8`
Low	Broad Bash tool permission Priv Escalation The Bash permission allows any arguments (), potentially enabling unintended agnic subcommands beyond balance checking. `Bash(npx agnic@latest )` → Consider limiting to specific subcommands: status, balance	`SKILL.md:4`

Resource	Declared	Inferred	Status	Evidence
Shell	`WRITE`	`WRITE`	✓ Aligned	Bash(npx agnic@latest *)

File Tree

1 files · 1.2 KB · 51 lines

Markdown 1f · 51L

└─ 📝 SKILL.md Markdown 51L · 1.2 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`agnic`	`latest`	npm	No	Using @latest tag - no version pinning

Security Positives

✓ Single-purpose, straightforward functionality

✓ No credential harvesting or exfiltration detected

✓ No obfuscation or anti-analysis patterns

✓ Documentation matches stated behavior (doc-to-code alignment)

✓ Standard npm tooling without suspicious execution patterns

✓ No file system or environment variable access beyond npm execution

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives