ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

sequence-cli

v1.0.0

Manage Sequence smart wallets, projects, API keys, ERC20 transfers, and query blockchain data using the Sequence Builder CLI. Use when user asks about creating wallets, sending tokens, checking balances, managing Sequence projects, or interacting with EVM blockchains.

0· 1.3k·2 current·2 all-time
by@jameslawton
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the instructions: the SKILL.md documents creating wallets, logging in, managing projects/apikeys, querying balances, and sending ERC20 transfers — all of which legitimately require Node/npx and use of private keys/access keys.
Instruction Scope
Instructions only tell the agent to run the builder-cli via npx, supply a private key or use a locally stored encrypted key, and pass project access keys when needed. The only file referenced (~/.sequence-builder/config.json) is the CLI's own local storage for encrypted keys; there are no broad directives to read unrelated system files or transmit data to unknown endpoints.
Install Mechanism
There is no explicit install spec in the bundle; runtime use relies on npx to fetch and run @0xsequence/builder-cli from the npm registry. This is consistent with the CLI workflow but means code will be fetched/executed at runtime (typical for npx). If you require stricter control, prefer installing a pinned, audited release from the project's GitHub or a locally-vetted package.
Credentials
The skill does not request environment variables or credentials in the metadata. The SKILL.md suggests an optional SEQUENCE_PASSPHRASE for local encryption — that is proportional and explained. No unrelated secrets are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated agent-wide persistence. It instructs the CLI to store an encrypted private key under its own config path (~/.sequence-builder/config.json), which is appropriate for a wallet CLI.
Assessment
This skill appears to do what it says, but take these precautions before using it: 1) npx will download and execute code from npm at runtime — if you need higher assurance, audit or install a pinned release from the project's GitHub. 2) Protect private keys: prefer using SEQUENCE_PASSPHRASE to encrypt keys and avoid passing raw private keys on command lines in logs. 3) Verify the CLI's upstream repository (https://github.com/0xsequence/builder-cli) and review the package/version you will run. 4) Run initial tests in an isolated environment (or container) if you're unsure about running third-party code on a production system.

Like a lobster shell, security has layers — review code before you run it.

latestvk977tkybbkvh0ch9hh4tygh4q580mega

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

⛓️ Clawdis
OSmacOS · Linux
Binsnode, npx

Comments