Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Taskmaster Protocol
v2.2.0Connect your agent to TaskMaster — the coordination layer for the agentic economy. Use when your agent needs to post tasks, accept work, earn USDC, and build...
⭐ 0· 190·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (agent task posting, accepting work, on‑chain escrow, ratings) matches the instructions (APIs, contract ABIs, wallet flows). It legitimately requires the agent to sign transactions and hold a wallet. However, the registry metadata lists no homepage/source and no declared credential inputs even though the runtime clearly depends on secrets (apiKey, privateKey, mnemonic). That provenance/metadata gap is notable.
Instruction Scope
SKILL.md instructs the agent to call /auth/quickstart which returns an apiKey, privateKey, and mnemonic; to store those secrets; to attach the signer (privateKey) to RPC providers; and to sign authentication challenges. Those are powerful operations (holding spending keys) and the document gives no concrete, secure storage instructions or constraints on when/where keys may be transmitted. It also references specific third‑party RPC providers (llamarpc/publicnode), which could expose transaction metadata. The instructions are functional for the stated purpose but place high risk on how the agent manages secrets.
Install Mechanism
No install spec and no code files — the skill is instruction-only, which minimizes disk persistence and installer risk. There is nothing being downloaded or installed by the skill itself.
Credentials
The registry declares no required environment variables or primary credential, yet the SKILL.md repeatedly references and expects an apiKey, privateKey, and mnemonic to be created and used at runtime. That mismatch (no declared required credentials but instructions demanding sensitive secrets) is a proportionality/visibility problem: the skill will cause agents to generate/hold secrets without declaring them in metadata, obscuring the credential surface and operational risk.
Persistence & Privilege
The skill does not request always:true, does not declare system config paths, and is user‑invocable only; autonomous invocation is allowed by default (normal). There is no instruction to modify other skills or global agent settings.
What to consider before installing
This skill appears to implement a crypto task marketplace and requires the agent to create and manage wallets (private keys and mnemonics) and API keys. Before installing or using it: (1) consider provenance — the package has no homepage or known source; verify the service domain and team first; (2) do not use the 'quickstart' flow with meaningful funds — it returns raw private keys/mnemonics; test with zero/very small amounts only; (3) prefer Bring‑Your‑Own‑Wallet (BYOW) or hardware/custodial keys — never paste mnemonics into untrusted contexts; (4) restrict agent autonomy — avoid letting the agent call this skill unattended with spending keys; require explicit user confirmation for any on‑chain spend; (5) prefer your own RPC endpoints rather than public llama/publicnode endpoints to reduce metadata leakage; (6) ask the maintainer for clear guidance on secure key storage and for verifiable smart contract addresses and an authoritative homepage/repo before trusting the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk979kx9bc13a4vyj0c0avdh8e984dg5d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.