Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
clawtip
v1.0.8Executes a clawtip payment transaction for third-party skills. Trigger this tool strictly when a third-party service initiates a valid clawtip payment reques...
⭐ 2· 315·2 current·2 all-time
byClawTip@117788abc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code and SKILL.md implement a payment flow that calls JD endpoints (ms.jr.jd.com) and reads/writes a local token ('u') — this matches the stated payment purpose. However, the top-level registry metadata shown to you lists no required binaries, env vars, or config paths, while SKILL.md and scripts clearly require Node.js and local credential storage (configs/config.json). That mismatch between what the skill claims at registry level and what it actually needs is unexpected and suspicious.
Instruction Scope
Runtime instructions require running scripts/payment_process.py with order_no and indicator and explicitly tell the LLM not to read order files. The scripts themselves read/writes order JSON files from a fixed path and persist a token to configs/config.json. There is a concrete inconsistency in paths: SKILL.md claims order files live under /root/openclaw/skills/orders (Linux/macOS) or C:\openclaw\..., while file_utils.py actually uses ~/.openclaw/skills/orders (home directory). The scripts make outbound network calls only to JD endpoints and invoke a bundled Node.js encryption helper — no other external endpoints observed.
Install Mechanism
There is no install spec (instruction-only), and all code is bundled with the skill (Python scripts + encrypt.js + bundled cryptico). No remote downloads or installers are used. However, the runtime requires Node.js for the bundled encrypt.js — this requirement is stated in SKILL.md but was not reflected in the registry metadata provided earlier. The absence of an install spec combined with an undeclared runtime dependency is an operational/packaging issue the user should confirm.
Credentials
The only credential the skill needs in practice is a local user token 'u' persisted to configs/config.json, which the scripts read/write. That is proportionate to a payment skill. However: (1) the token is stored as plaintext JSON (SKILL.md and scripts both note this), (2) the registry metadata initially shown to you listed no credential storage while SKILL.md declares local_file storage — a mismatch, and (3) the skill reads order files from the user's home directory which could contain arbitrary caller-supplied data. Because secrets are written to disk in plaintext, operators must secure the file (permissions/encryption) or reject installation.
Persistence & Privilege
The skill does not request 'always: true' and model invocation is allowed (default) which is expected for an inter-skill payment handler. It persists a token locally (configs/config.json) and writes payment credentials back into order files under the orders directory; this is within the scope of a payment workflow but increases impact if the environment is multi-tenant. No evidence the skill modifies other skills' configs or system-wide settings was found.
What to consider before installing
Things to check before installing: 1) Confirm the registry-level metadata with the skill author — SKILL.md and scripts require Node.js and local plaintext storage of a token, but the registry listing you saw omitted those requirements. 2) If you install, run the skill in an isolated/test environment first and verify it only contacts the JD endpoints (ms.jr.jd.com) and nothing else. 3) Protect configs/config.json (chmod 600, restrict directory access, consider disk encryption) because the token 'u' is stored as plaintext. 4) Reconcile the path discrepancy: SKILL.md claims /root/openclaw/... but file_utils uses ~/.openclaw/... — ensure order file locations are what you expect. 5) Ensure calling skills are trusted (order files may be provided by other skills) and that the allowed trigger safeguards described in SKILL.md are actually enforced by your agent environment. 6) If any of the above items are unclear or the author cannot explain the metadata mismatches, treat the package as untrusted and do not enable it in production.Like a lobster shell, security has layers — review code before you run it.
latestvk97ae7kt01h4wv0vkmwxr3rkx984se6x
License
MIT-0
Free to use, modify, and redistribute. No attribution required.