ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WachAI-x402

v1.0.2

DeFi risk analysis toolkit powered by WACH.AI via x402 payments using AWAL wallet custody. Use when the user asks to check if a token is safe, assess DeFi ri...

2· 969·0 current·0 all-time
by@akshat-mishra101
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description, payment model (0.01 USDC on Base), AWAL custody requirement, and required runtime (Node.js/npm, AWAL CLI) align with a third‑party DeFi analysis tool that performs paid queries. No unrelated credentials or system-level access are requested.
Instruction Scope
SKILL.md instructs the agent to run AWAL/x402-wach CLI commands (setup, login/verify, balance, verify-risk) and to call an external API endpoint. The instructions explicitly prohibit asking for private keys and local wallet files, which reduces risk. Minor note: SKILL.md also shows a programmatic npm import (@quillai-network/x402-wach) but the skill provides no install spec — the skill expects a runtime environment with Node/npm and AWAL already available.
Install Mechanism
No install spec is present and there are no code files — this is an instruction-only skill. That is lower risk than an install that downloads or extracts arbitrary code. The requirement that Node/npm and AWAL be present is reasonable for the described JS client/CLI usage, though users should ensure AWAL and any npm packages come from trusted sources.
Credentials
The skill does not request environment variables, secret tokens, or access to unrelated services. It uses the user's AWAL-managed wallet for payments, which is proportionate to a paid analysis service. The skill's explicit prohibitions on private keys/seeds are appropriate.
Persistence & Privilege
always:false and normal autonomous invocation settings are used. The skill does not request persistent system-wide privileges or modification of other skills. There is no evidence it would persistently alter agent configuration.
Assessment
This skill is internally consistent for a paid DeFi risk tool that charges via an AWAL wallet, but check a few practical points before installing/using: 1) Confirm you have the AWAL CLI installed from the vendor's official source and that you trust the domain https://x402.wach.ai. 2) The skill will attempt on‑chain queries and make an external API call and a charged payment (0.01 USDC on Base) from your AWAL wallet — ensure you understand and authorize this. 3) Do not provide private keys, seed phrases, or local wallet files; the skill explicitly forbids them. 4) SKILL.md references an npm package (@quillai-network/x402-wach) but no install mechanism is provided — if you want programmatic usage, obtain the package from a trusted registry and verify its provenance. 5) Monitor your AWAL balance and payment receipts and verify any failed payment diagnostics the skill surfaces. If you need higher assurance, ask the publisher for a homepage, source repo, or verifiable release artifacts before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk978cfszyqz7d6vk3ft24wxz9h818xhc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments