Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Dapp
v1.0.0A comprehensive AI agent skill for discovering, evaluating, and monitoring decentralized applications. Tracks on-chain activity anomalies, evaluates smart co...
⭐ 0· 101·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
low confidencePurpose & Capability
The skill claims continuous on-chain monitoring, anomaly detection, smart-contract analysis, and portfolio tracking but declares no required binaries, no environment variables (RPC/indexer/API keys), and no install steps. Realizing the described functionality at scale normally requires access to blockchain RPC endpoints or indexer APIs, and possibly third-party services (Etherscan, TheGraph, Alchemy, Infura), which are not mentioned or requested. This mismatch is unexplained and disproportionate to the stated purpose.
Instruction Scope
The SKILL.md is high-level marketing and design text in the excerpt provided; it does not include concrete runtime instructions, command invocations, or explicit data sources. Because the file is instruction-only, the runtime instructions are the security surface — but here they are either missing or truncated. That lack of specificity gives the agent broad discretion (e.g., where to fetch data, what credentials to ask the user for), which is risky. It's unclear whether the skill will request sensitive inputs (private keys, wallet signatures) or transmit data off-platform.
Install Mechanism
No install spec and no code files are present; this is an instruction-only skill. From an install perspective this is low-risk because nothing will be written to disk or executed by an installer during install. However, runtime behavior still matters.
Credentials
The skill requests no environment variables, credentials, or config paths despite describing services that typically require API keys or persistent access (RPC providers, indexers, blockchain explorers). The absence could mean it relies only on public data (possible), but it could also mean required credentials will be requested interactively or ad hoc. The lack of declared primary credential or read-only API requirements is disproportionate and unclear.
Persistence & Privilege
The skill is not marked always:true and does not request system-level config changes in the visible content. Autonomous invocation is permitted by platform default (not itself a red flag). There is no evidence the skill modifies other skills or system settings.
What to consider before installing
Do not install or grant access until the author clarifies runtime behavior and data sources. Ask the author to explicitly state: (1) which on-chain data sources and third-party services will be used (Etherscan, TheGraph, Alchemy, etc.) and whether those require API keys, (2) exactly which environment variables or credentials the skill will request and whether they can be limited to read-only keys, (3) whether the skill ever asks for private keys or signing privileges (never provide private keys or signing permissions), (4) where data and alerts are sent and whether any data is stored off-platform (retention policy), and (5) concrete runtime instructions (what API calls it makes, what paths it reads). If you must test, use read-only, limited-scope API keys and a sandbox wallet with no funds. Because the SKILL.md appears truncated and the source is unknown, be particularly cautious: prefer skills that declare explicit data sources, required env vars, and a homepage or author contact before allowing autonomous invocation.Like a lobster shell, security has layers — review code before you run it.
blockchainvk9754a7abhwxfnkqtdf1gec23s833t3gdappvk9754a7abhwxfnkqtdf1gec23s833t3gdefivk9754a7abhwxfnkqtdf1gec23s833t3glatestvk9754a7abhwxfnkqtdf1gec23s833t3gonchainvk9754a7abhwxfnkqtdf1gec23s833t3gweb3vk9754a7abhwxfnkqtdf1gec23s833t3g
License
MIT-0
Free to use, modify, and redistribute. No attribution required.