ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cavos Cli

v0.1.0

Interact with the Cavos CLI for Starknet wallet operations. Use for transfers, approvals, contract calls, session management, and transaction monitoring.

2· 889·0 current·0 all-time
by@adrianvrj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Cavos CLI for Starknet wallet ops) matches the required binary (npx) and the SKILL.md commands (npx @cavos/cli). There are no unexpected credentials, binaries, or config paths requested.
Instruction Scope
SKILL.md only instructs running specific cavos CLI commands (whoami, balance, transfer, execute, etc.) and to use --json. It does not instruct reading unrelated files or environment variables. It does mention importing a session token provided from the Dashboard (expected for auth).
Install Mechanism
No install spec (instruction-only), which is low-risk. However, the runtime commands use npx to fetch and execute @cavos/cli from the npm registry on demand — that implicitly downloads and runs remote code. This is expected for an npx-based CLI but is a material runtime action the user should be aware of.
Credentials
The skill declares no required env vars or credentials. That aligns with the instructions, which expect an explicit session token to be provided when running session import. There is no hidden request for unrelated secrets or external credentials.
Persistence & Privilege
always is false and the skill has no install step that modifies system or agent-wide settings. It does not request persistent privileges or modify other skills' configs.
Assessment
This skill is coherent for controlling a Cavos/Starknet wallet via the @cavos/cli, but note: npx will download and execute the @cavos/cli package from npm at runtime — verify the package name, publisher, and version before running. Do not paste session tokens, private keys, or other secrets into chat; supply them only to the CLI in a secure context. Before sending transfers/approvals, double-check addresses and amounts and consider running simulate/estimate first. If you prefer more control, install @cavos/cli locally from a verified source and run it directly rather than via npx.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dnnwnh24e3cn85nxg9qfvk580zxe4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnpx

Comments