Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Trails - pay with any token from any chain
v1.0.0Integrate Trails cross-chain infrastructure — Widget, Headless SDK, or Direct API
⭐ 0· 1.8k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name, description, docs, and code snippets all consistently implement a Trails integration assistant (Widget, Headless SDK, Direct API). One small mismatch: the registry metadata declares no required environment variables, but the SKILL.md and docs repeatedly instruct the agent to look for and use TRAILS_API_KEY / NEXT_PUBLIC_TRAILS_API_KEY. That difference is minor but worth noting (the skill doesn't force a credential at install time, but its runtime behavior expects you to provide one).
Instruction Scope
The runtime instructions explicitly tell the agent to scan the project for an API key (search .env files, environment variables, and config files) before generating integration code. That behavior is coherent with the goal (the skill must know whether an API key exists and whether it is client- or server-side). It does mean the agent will be directed to access workspace files and environment variables, which are sensitive — appropriate here but worth the user's awareness.
Install Mechanism
No install spec is provided (instruction-only skill with embedded docs and code snippets). The included code samples reference npm/pnpm packages (e.g., @0xtrails/trails, @0xtrails/trails-api) and official-looking endpoints (api.trails.build, docs.trails.build). There are no downloads from unknown URLs, no extract/install operations, and no obfuscated installers.
Credentials
The skill does not declare required env vars in the registry metadata, but the documentation and SKILL.md legitimately instruct users to supply TRAILS_API_KEY or NEXT_PUBLIC_TRAILS_API_KEY for server/client flows. That credential request is proportionate to the service (Trails API). The docs also correctly point out the difference between server-only keys and client-exposed keys (NEXT_PUBLIC_ prefix). There are no demands for unrelated secrets or multi-service credentials.
Persistence & Privilege
The skill is not configured as always:true and does not request persistent modification of other skills or system-wide settings. disable-model-invocation is false (normal). It acts as an on-demand integration helper and provides guidance/code snippets only.
Assessment
This skill appears to do what it says: it helps you integrate Trails by examining your project, recommending Widget/Headless/API approaches, and producing code. Before installing or using it, consider: 1) the skill will look for API keys in your project and environment — only allow access if you trust the agent and do not want secrets scanned or exposed; 2) follow the docs' guidance about using server-side (TRAILS_API_KEY) vs client-side (NEXT_PUBLIC_TRAILS_API_KEY) keys — never publish server keys in client code or commit them to source control; 3) verify you trust the Trails endpoints (docs.trails.build, dashboard.trails.build, api.trails.build) and the package names the snippets reference (e.g., @0xtrails/trails); 4) prefer adding API keys to environment variables on the server, test calldata flows on testnets first, and avoid pasting full keys into chat unless you explicitly intend to share them. If you want extra assurance, ask the skill author for a signed repository link or review the upstream GitHub release/source code before using their npm packages.Like a lobster shell, security has layers — review code before you run it.
latestvk97cvznvkt91gt66ez35nxs8gd80cwxt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.