ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Publish Svg Flag

v1.1.3

Render OG Aavegotchi SVG and PNG images from Base for custom hypothetical loadouts or existing token IDs. Use when the user wants classic onchain SVG-style g...

0· 82·0 current·0 all-time
by@aaigotchi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the included code and dependencies: the repo contains a Node renderer, viem calls to an on-chain diamond, resvg rasterizer, and helper shells to create SVG/PNG outputs and manifest JSON. Required tools (node, npm, optional raster binaries) and network access to a Base RPC are reasonable and proportional to an on-chain SVG renderer.
Instruction Scope
SKILL.md and the wrapper scripts instruct the agent to run local renderer scripts, read the generated manifest, and return media paths for chat; the runtime instructions do not attempt to read unrelated system files or transmit data to unexpected remote endpoints. The code does perform RPC calls to the configured Base RPC (default https://mainnet.base.org), which is expected for token renders.
Install Mechanism
There is no automated install spec in the registry; the README/SKILL.md require running `npm install` locally so @resvg/resvg-js and viem are available. This is a common pattern, but running npm install will pull many packages from the public registry (package-lock.json present) — that adds the usual supply-chain risk of npm dependencies and optional native binaries.
!
Credentials
Registry metadata declares no required env vars, but the code and scripts reference AAVEGOTCHI_RPC_URL (optional override) and AAVEGOTCHI_SVG_PNG_SIZE. These env vars are not declared in requires.env/primaryEnv. While the envs themselves are reasonable for configuration, undeclared env usage is an incoherence and could be used by an operator to redirect RPC traffic (e.g., to an attacker-controlled RPC) or change behavior unexpectedly.
!
Persistence & Privilege
The skill is marked always: true in the embedded metadata. always:true gives it forced inclusion in every agent run; there is no clear justification in SKILL.md for global forcing. Combining always:true with network access (RPC calls) increases the blast radius and should be justified or removed.
What to consider before installing
This skill's code and documentation largely match its stated purpose (rendering Aavegotchi SVGs from Base). Still, pay attention to two issues before installing: 1) It sets always:true (force-included) — consider removing that unless you want the skill loaded for every agent invocation. 2) The code reads optional env vars (AAVEGOTCHI_RPC_URL, AAVEGOTCHI_SVG_PNG_SIZE) that are not declared in the registry metadata; if you override AAVEGOTCHI_RPC_URL, you could direct on-chain calls to an untrusted RPC. If you proceed, run npm install and the skill in a sandbox or CI runner first, inspect installed node_modules and any postinstall scripts, and avoid pointing AAVEGOTCHI_RPC_URL at RPC endpoints you don't trust. If you need help hardening: require the skill only for relevant agents (remove always:true), declare optional env vars in the registry metadata, and consider restricting network permissions or validating any RPC URL passed in.

Like a lobster shell, security has layers — review code before you run it.

latestvk976ae8k8mj3wn17pcb0mtzhzn84x1b3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments