ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aiusd Skills

v0.1.1

Manage AIUSD accounts and trades: check balances, execute buy/sell/swap orders, stake/unstake, withdraw funds, top up gas, and view transaction history.

0· 1.6k·0 current·0 all-time
by@chaunceyliu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Metadata lists no required env vars or binaries and says this is instruction-only, but SKILL.md clearly references an auth token (MCP_HUB_TOKEN), OAuth flows, and a local token file (~/.mcp-hub/token.json). The bundle also includes large installer scripts (shell and node) and an embedded package archive — inconsistent with 'instruction-only' metadata and the lack of declared credentials.
!
Instruction Scope
SKILL.md includes detailed runtime rules (forbidden phrases, strict authentication-response wording) and explicit auth resolution order (env -> OAuth -> local file). It also instructs the agent to run tools --detailed before calls. The combination of strict output policing and explicit token file paths expands the agent's scope into local credential handling and response shaping, which is beyond a simple read-only query skill.
!
Install Mechanism
There is no declared install spec but two self-extracting installers (aiusd-skill-installer.sh and aiusd-skill-installer.js) contain large base64-encoded archives that decode and write a tarball to disk and run npm install. Self-extracting archives embedded in scripts increase risk (writes/extracts files locally and runs package installs). The archive is embedded rather than downloaded from a well-known release endpoint — moderate-to-high install risk.
!
Credentials
SKILL.md requires or prioritizes an env var (MCP_HUB_TOKEN), OAuth credentials, or a local token file, but the registry metadata declares no required env vars or primary credential. This mismatch is suspicious because the skill will access tokens/credentials (and local token files) but does not declare them in the manifest for review.
Persistence & Privilege
The skill does not request always:true and does not declare system-wide config changes, but the installers will create an 'aiusd-skill' directory in the current working directory and run npm install there. That produces persistent files on disk (normal for an installer) but is more privilege than an instruction-only skill implies.
Scan Findings in Context
[base64-block] unexpected: Base64-encoded archive data is present inside the provided installer scripts (expected for a self-extracting installer). However, the pre-scan flagged the SKILL.md for a base64-block prompt-injection pattern as well, which is unexpected and could indicate attempt to smuggle encoded payload or manipulation instructions into the skill's runtime guidance. Either way, embedded archives increase the need for manual inspection before running.
What to consider before installing
Do not run installers or install this skill until you verify its origin and contents. Steps to consider: - Verify the publisher and release URL (the README references a GitHub release and aiusd.ai); confirm those links are legitimate and match an official project. - Inspect the embedded archive contents offline (decode the base64 from installer files into a tarball and list its files) before extracting or executing anything. Look for unexpected network endpoints, telemetry, or scripts that read files outside the skill directory. - Confirm what credentials are actually needed: SKILL.md references MCP_HUB_TOKEN and a local token file, but the manifest declares none — ask the maintainer why tokens aren't declared in the skill manifest. - If you must test, run the installer in a disposable sandbox or VM (network-restricted) and review network traffic and created files. - Pay attention to the SKILL.md 'forbidden phrase' rules and unusual response-shaping — these can be legitimate product requirements, but they can also be used to constrain auditability or hide behavior. Ask for a minimal, auditable version of the skill without embedded installers. If you cannot validate the source and contents, treat this package as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e2xs9hbj003ed5s3g63x83180pmr3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments