ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Adam's Bounty Hunter副业系统

v1.0.0

Autonomous agent managing DR. Wang's side income via AI services, skill package sales, automated trading, and personal financial management.

0· 26·0 current·0 all-time
byAdam@adamwgp
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires wallet
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The description promises autonomous marketplace sales, skill publishing, automated trading, and personal financial management, which would legitimately require service credentials and careful safeguards. However, the skill declares no required env vars or credentials yet the SKILL.md contains hardcoded keys (Soul Key, DeepSeek API key) and a wallet address/file path. That mismatch between declared requirements (none) and the embedded secrets is incoherent and disproportionate.
!
Instruction Scope
SKILL.md instructs the agent to autonomously accept orders, make trading decisions, publish skills (npx clawhub publish), promote on social platforms, and manage personal finances. It lists local paths (workspace, wallet backup) and CLI commands. Those instructions give the agent broad authority to read/write local data and execute commands; the document lacks narrow, safety-oriented constraints and contains embedded secrets, enabling high-impact actions outside a minimal scope.
Install Mechanism
This is an instruction-only skill with no install spec or code files (lowest install risk). However, because it tells the agent to run commands (npx clawhub publish) and references local workspace paths, it can cause side effects if the agent has shell/file access — so the lack of install actuación lowers one class of risk but does not make the skill harmless.
!
Credentials
The SKILL.md embeds multiple apparent secrets (a 'Soul Key', a DeepSeek API key that resembles an API secret, a wallet address and wallet backup path) but the skill declares no required credentials. Embedding secrets in the instruction document is disproportionate and unsafe — required credentials should be declared explicitly, scoped minimally, and not stored in plain SKILL.md. The skill also references local wallet backup paths that would grant access to funds if read.
!
Persistence & Privilege
The skill does not set always:true (good), but it explicitly requests broad autonomy: full decision authority for trading, publishing, and order handling with only a single monetary confirmation threshold (> $100). Autonomous invocation combined with embedded secrets and file path references increases potential impact (financial loss, unintended publishing).
What to consider before installing
Do not install or enable autonomous operation of this skill until you verify origin and remove hardcoded secrets. Specific steps to consider: (1) Ask the author for provenance and an audit of why keys/wallets are embedded; (2) Never expose real API keys or wallet backups in SKILL.md — rotate any keys shown here immediately if they belong to you; (3) Require minimal-scope, revocable API keys and separate test accounts for trading; (4) Disable autonomous invocation for any skill that can execute trades, publish code, or access wallets; require manual confirmations and multi-sig for fund movements; (5) Validate the npx publish workflow in a sandbox before allowing it to run on your machine; (6) If you still want this functionality, insist the author replace embedded secrets with documented env var names and scoped credentials, provide a verifiable source/homepage, and add clear safety constraints and logging/auditability.

Like a lobster shell, security has layers — review code before you run it.

automated-incomevk970r96qsdntq2a5n3c7tr4b89846pyylatestvk970r96qsdntq2a5n3c7tr4b89846pyyokxvk970r96qsdntq2a5n3c7tr4b89846pyytradingvk970r96qsdntq2a5n3c7tr4b89846pyy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments