Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Shadow Number
v1.0.0Get a disposable temp phone number and receive OTP codes to sign up on websites without using your real number. Handles x402 crypto payment automatically.
⭐ 0· 384·0 current·0 all-time
by0xShadow@0xshadoweth
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to purchase temporary phone numbers and automatically handle an x402 crypto payment. That purpose reasonably explains requiring a wallet credential. However the registry metadata reported no required env vars while the SKILL.md declares SHADOW_WALLET_KEY — an inconsistency. The API endpoint is a third-party Railway app (extraordinary-charisma-production.up.railway.app), not a known vendor, which raises trust questions about where payments and OTP data are routed.
Instruction Scope
Instructions explicitly tell the agent to call the external API to buy numbers, poll for OTPs, and to navigate/enter data in a browser — all within the stated purpose. However the payment flow is vague: SKILL.md asserts "your agent wallet will automatically pay ~$0.10 USDC on Base when the server returns HTTP 402" but gives no concrete steps, endpoints, or clear guidance on how the SHADOW_WALLET_KEY is used. That ambiguity could lead to unintended transmission or misuse of a wallet key or automated payments.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk by an installer. This is low-risk from an installation perspective.
Credentials
SKILL.md requires a single env secret, SHADOW_WALLET_KEY, to enable automated payments. That is potentially proportionate to paying for numbers, but it's a high-risk credential (can enable on-chain payments). The registry metadata not listing any required env vars is an inconsistency. The SKILL.md also hardcodes the API URL (not declared as configurable), meaning all sensitive actions go through an unreviewed third-party service.
Persistence & Privilege
The skill does not request always:true, has no install, and does not modify other skills or system-wide settings. Autonomous invocation is allowed (the platform default) — combined with the wallet access this increases blast radius, but on its own is expected.
What to consider before installing
This skill appears to do what it says (buy temporary phone numbers and return OTPs) but has several red flags you should consider before installing: (1) SKILL.md requires SHADOW_WALLET_KEY — a sensitive wallet secret that would enable automated on-chain payments; only provide such a key if you fully trust the service and process. (2) The registry metadata omitted the required env var, an inconsistency that could indicate sloppy or deceptive packaging — ask the author to clarify exactly what credentials are needed and how they're used. (3) The API endpoint is a third‑party Railway app (not a well-known vendor); OTPs and payment interactions will flow through that server. If you proceed, use a dedicated ephemeral wallet funded with only a tiny amount, audit any outgoing transactions, and avoid using your primary keys. Also consider legal/terms-of-service issues: using disposable numbers to bypass phone verification may violate target sites' terms or laws. If you need this functionality for legitimate testing, request more transparency from the publisher (source code, payment flow description, privacy policy) before supplying any secrets.Like a lobster shell, security has layers — review code before you run it.
latestvk97085ndnw3yef1e192t2s42md81s6xpotpvk97085ndnw3yef1e192t2s42md81s6xpphonevk97085ndnw3yef1e192t2s42md81s6xpprivacyvk97085ndnw3yef1e192t2s42md81s6xpsmsvk97085ndnw3yef1e192t2s42md81s6xpx402vk97085ndnw3yef1e192t2s42md81s6xp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.