ClawHub

Send USD Skill

v0.1.0

Send USD from one agent to another.

0· 1.1k·0 current·0 all-time
by@afeef23
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description promise an actual USD transfer, but the skill requires no credentials, no provider config, and the code contains a TODO comment stating integration with a payment provider is required. As delivered it only simulates transfers; a real payment capability would need API keys, account IDs, or gateway integration.
Instruction Scope
SKILL.md restricts inputs/outputs to transfer parameters and mentions authentication & auditing, but provides no authentication mechanism or instructions for configuring a payment provider. The runtime instructions do not reference reading credentials or contacting an external payment API—so behavior is limited to local simulation.
Install Mechanism
No install spec and no external downloads; this is instruction+code only and does not write files or fetch remote artifacts during install, which is low risk.
!
Credentials
The skill requests no environment variables or credentials despite claiming to perform money transfers. Real transfers normally require secrets (API keys, service tokens, account credentials). The absence of these is disproportionate to the stated purpose and misleading.
Persistence & Privilege
The skill is not always-enabled, does not request elevated persistence, and does not modify other skills or system-wide agent settings.
What to consider before installing
This skill currently only simulates transfers locally (it generates a transaction_id and returns success) and does not actually move money. If you intended to use it for real payments, require the author to: (1) explain which payment provider it integrates with; (2) add explicit, minimal environment variables for provider credentials and show how they're used securely; (3) remove any simulation code and show audited network calls to the provider's official API endpoints; and (4) document rate limits, error handling, and audit logging. Do not rely on this skill for financial operations until you verify provider integration and secure credential handling; enabling it for autonomous agents could let other agents record 'successful' transfers that never occurred, causing financial or audit confusion.

Like a lobster shell, security has layers — review code before you run it.

latestvk970da4fm325mznmsfy9ch81c180jwb0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments