Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
vybes.fun
v1.0.0Solana token launchpad with prediction markets, AI logo generation, and website builder. Launch tokens (FREE), generate logos, create predictions, build webs...
⭐ 0· 54·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
SKILL.md describes a Solana launchpad, prediction markets, AI logo generation, and website building — and the listed API endpoints in the runtime instructions align with that purpose. However, the packaged files include an unrelated 'admin-set-reserves.html' admin tool (for changing bonding-curve reserves) and many large static assets; the admin tool is not referenced in SKILL.md and is unexpected for a simple API instruction-only skill.
Instruction Scope
The SKILL.md instructions are self-contained API calls against https://vybes.fun and do not instruct the agent to read arbitrary host system files, environment variables, or the bundle's admin HTML. The documented flows (launch_token, generate_logo, create_prediction, build_website) are scoped to the described service and external builder (aicre8.dev).
Install Mechanism
No install spec and no code files to execute — this is an instruction-only skill that ships static assets. That is low-risk from an installation perspective.
Credentials
SKILL.md declares no required environment variables or credentials, yet the included admin HTML contains plaintext configuration/credentials (a Helius Devnet RPC URL with an API key embedded) and a hard-coded 'required signer' wallet address. Those secrets/config values are unrelated to the declared SKILL.md requirements and increase the attack surface or leak credentials.
Persistence & Privilege
The skill does not request persistent or always-on privileges (always:false) and has no install. However, the presence of an admin page capable of submitting on-chain transactions to a bonding-curve program (if the correct authority wallet is used) implies a high-impact action exists in the bundle. That file could grant powerful administrative capability to anyone who obtains the required signer key or reuses it.
Scan Findings in Context
[base64-block] expected: Many SVG/PNG assets embed data:image/base64 URIs; base64 blocks in the package are expected for inline images and do not by themselves indicate malicious intent.
What to consider before installing
The skill's API instructions are coherent with a Solana launchpad, but the packaged files contain an unexpected admin HTML page (admin-set-reserves.html) that: (1) includes a plaintext Helius Devnet RPC API key, and (2) documents a 'required signer' authority wallet able to change bonding-curve reserves. Before installing or using this skill: - Treat the package as untrusted static content: do not open the admin page or connect your real wallet to it unless you control the documented authority key. - The embedded devnet RPC key may be a leftover/test key; avoid relying on it and do not expose your own keys to these files. - Verify the skill's source and homepage (none provided) and ask the publisher why an admin tool is included and why credentials are embedded. - If you plan to use the skill with any wallet, use a throwaway/test wallet and never use your primary/private keys. Additional information that would reduce uncertainty: confirmation from the publisher about the admin file's purpose, whether the embedded RPC key is intentionally public/dev-only, and whether the admin page is intended for distribution.Like a lobster shell, security has layers — review code before you run it.
latestvk973rjrdspa7j2peyytksn8rp9840hcx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.