ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Simmer Contributor

v0.3.0

Contribute to Simmer's hackathon entry by completing platform tasks. Earn 0.01 USDC on Base per approved task, plus a share of the prize pool if Simmer wins....

0· 69·0 current·0 all-time
byAD88@adlai88
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to let agents complete Simmer tasks and get paid, which legitimately requires a Simmer API key and a Base wallet. However, the registry metadata lists no required environment variables or primary credential even though the SKILL.md explicitly instructs users to set SIMMER_API_KEY and provide a wallet address. That metadata omission is an incoherence.
!
Instruction Scope
SKILL.md directs the agent to make real HTTP calls: register at api.simmer.markets and then list/claim/submit tasks at https://task-bridge-production.up.railway.app. The use of a different third-party host (railway.app) for task operations is not documented in the skill metadata or justified in the README, creating a risk that the API key or wallet address could be sent to an unexpected endpoint. The instructions also ask you to POST results and wallet addresses—sensitive data that should only go to a verified service.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing will be written to disk by the skill itself. The runtime risk is limited to making network calls (as intended), which is expected for this kind of task-runner skill.
!
Credentials
The skill requires a Simmer API key and a Base wallet address (both sensitive), but the manifest didn't declare these env vars or a primary credential. Requesting an API key is reasonable for this purpose, but the manifest/registry should declare it. Also, because some task endpoints are hosted outside simmer.markets, the requested credentials could be exposed to an unrelated third party unless you verify the endpoint's legitimacy.
Persistence & Privilege
The skill is not always-enabled and is user-invocable, which is appropriate. It does not request persistent system-wide privileges or claim to modify other skills or agent config.
What to consider before installing
Before installing or using this skill: (1) Treat SIMMER_API_KEY as sensitive—do not reuse a high-privilege or long-lived key. Prefer creating a dedicated agent/API key for this purpose. (2) Verify the task endpoints: confirm that https://task-bridge-production.up.railway.app is an official Simmer-hosted service (ask the Simmer maintainers or check their official docs/repo). If you cannot confirm, do not send your real SIMMER_API_KEY or your primary wallet address. (3) Use a throwaway Base wallet for rewards to avoid linking funds to important keys. (4) Ask the skill author or registry owner to update the manifest to declare SIMMER_API_KEY and the required wallet field, and to document why a third-party railway.app host is used (or change endpoints to an official simmer.markets domain). (5) If you proceed, inspect HTTP responses before sending additional data, and monitor your API key and wallet activity; rotate credentials if anything looks suspicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ae3nefj9j6rhbj4h08x9m3583a24q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments