ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fund Wallet

v1.0.0

Get instructions for funding your AgnicPay wallet with USDC. Use when you or the user want to add funds, deposit USDC, top up the wallet, or need more balanc...

0· 48·0 current·0 all-time
by@agnicpay-prog
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and instructions focus on funding an AgnicPay wallet using USDC on Base; suggested methods (dashboard, direct transfer, bridge) and CLI queries (status/address/balance) are appropriate for that purpose.
!
Instruction Scope
Instructions require running 'npx agnic@latest' commands (status/address/balance) which is consistent, but the doc also references authentication steps (e.g., 'npx agnic@latest auth login' and an 'authenticate-wallet' skill) that are not included in the allowed-tools list. The doc tells the agent to run networked CLI commands and guides users to external sites; it does not ask to read local files or env vars, which is good, but the missing 'auth' capability is an inconsistency.
!
Install Mechanism
No install spec in the registry, but the runtime instructions rely on 'npx agnic@latest' — npx dynamically downloads and executes code from the npm registry each run. That is a non-trivial risk because code will be fetched and executed from a remote package (supply-chain risk) and the skill provides no provenance (repo, checksum) or pinned version.
Credentials
The skill requests no environment variables, credentials, or config paths — this is proportional to the stated purpose.
Persistence & Privilege
Skill is user-invocable, not always-enabled, and does not request persistent privileges or modify other skills/system config.
What to consider before installing
This skill appears to do what it says (help fund an AgnicPay wallet) but take these precautions before using it: (1) Be cautious about running 'npx agnic@latest' — npx downloads and executes code from npm each time; verify the npm package name, publisher, repository, and release history before executing. (2) The SKILL.md refers to an auth step ('npx agnic@latest auth login') but the allowed-tools list does not include it — confirm your agent/environment will permit authentication commands or that the referenced 'authenticate-wallet' skill exists. (3) Verify the pay.agnic.ai URL and TLS certificate; only send USDC on the Base network as instructed to avoid fund loss. (4) If you are in a shared or sensitive environment, avoid running dynamic remote packages without pinning versions or inspecting the package source. (5) If you need higher assurance, request the package's repository or a pinned release artifact (with checksum) and a clear explanation of the auth flow before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk9782nzr89e3z0b3t6jtde20ax84cygh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments