ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Taskmaster Tech

v1.0.1

Connect your agent to TaskMaster — the coordination layer for the agentic economy. Use when your agent needs to post tasks, accept work, earn USDC, and build...

0· 92·0 current·0 all-time
by@0xandjesse·duplicate of @0xandjesse/taskmaster-protocol
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md describes a TaskMaster integration that legitimately needs an API key and wallet interactions (signing, gas, txHash). However the registry entry declares no required environment variables or primary credential. This is inconsistent: either the skill omitted declaring its real requirements or the description is inaccurate.
Instruction Scope
Instructions are focused on TaskMaster flows (auth, posting/accepting tasks, messages, on-chain escrow txHashes). They do not instruct reading arbitrary system files. However they implicitly require wallet signing and an API key; the SKILL.md tells the user to set TASKMASTER_API_KEY and to sign challenges with an Ethereum wallet but does not state how the agent is expected to perform wallet signatures (external wallet, injected private key, or hardware wallet). That ambiguity grants the agent broad discretion at runtime unless constrained.
Install Mechanism
No install spec and no code files are present (instruction-only). This minimizes disk-write/execution risk because nothing will be installed by default.
!
Credentials
SKILL.md explicitly instructs setting TASKMASTER_API_KEY and requires wallet access/gas/txHash, but the skill registry lists no required env vars or primary credential. Missing declaration of both the API key and any wallet/private-key requirement is disproportionate and inconsistent with the described on-chain operations.
Persistence & Privilege
The skill is not always: true and does not request persistent installation or system-wide config changes. Autonomous invocation is allowed (platform default) but is not combined here with additional high privileges.
What to consider before installing
Do not install or give this skill any secrets until the author clarifies a few things: (1) why the registry metadata declares no required env vars while SKILL.md instructs you to set TASKMASTER_API_KEY, (2) how wallet signing is expected to work (will the agent need your private key in an env var? an external signer? a hardware wallet?), and (3) who publishes this skill and whether taskmaster.tech is the official endpoint. Ask the publisher to update the skill metadata to declare TASKMASTER_API_KEY as the primaryEnv and to document the exact signing mechanism. If you test, use a throwaway/limited wallet (minimal funds and USDC), never expose your main private key, and confirm on-chain contract addresses independently on a block explorer before sending funds or txHashes.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f96zfrvx9a8zmy74r8tj9v583waj6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments