ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cancel Task

v0.1.0

Cancel a task on OpenAnt and reclaim escrowed funds. Only the task creator can cancel. Use when the user wants to abort a task, take it down, withdraw the bo...

0· 345·0 current·0 all-time
by@ant-1984
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the runtime instructions: all commands are npx @openant-ai/cli operations to check status, get task info, cancel a task, and check settlement. No unrelated capabilities or credentials are requested.
Instruction Scope
SKILL.md stays on-topic: it requires authentication to OpenAnt, checks task state, asks for explicit user confirmation before cancelling, and provides error handling and next steps. It does not instruct reading unrelated files, exfiltrating data, or contacting unexpected endpoints.
Install Mechanism
There is no install spec (instruction-only), which is low risk. However the runtime commands use `npx @openant-ai/cli@latest`, causing Node/npm to fetch and execute code from the npm registry at runtime — this is expected for a CLI-first skill but does execute remote code each run and is a moderate operational consideration.
Credentials
The skill declares no environment variables or credentials. It correctly delegates authentication to the `authenticate-openant` skill. The lack of direct credential requests is proportionate to its purpose.
Persistence & Privilege
always is false, user-invocable is true, and model invocation is enabled (normal). The skill does not request persistent installation or modify other skills or system-wide settings.
Assessment
This skill appears coherent and does what it claims: it runs the OpenAnt CLI to check, cancel, and verify refunds. Before installing or using it, note: 1) the commands use `npx` which downloads and runs the @openant-ai/cli package from the npm registry at runtime — that means remote code is executed on the host when the skill runs; review the CLI package or vendor if you need stronger assurance. 2) The skill assumes you are authenticated (it points to an `authenticate-openant` skill); that authentication will likely involve your wallet or API credentials — ensure you trust how those are stored and used. 3) Cancellation is irreversible and only the task creator may cancel; the skill correctly requires explicit user confirmation first. If those conditions are acceptable, the skill is proportionate to its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dq2d0qtdkzge8cbdv1nn7p98236kr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments