Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
DanceArc
v0.1.0DanceTech Protocol (DanceArc): Arc native USDC, HTTP 402 x402-shaped challenges, and h2h/h2a/a2a/a2h settlement patterns. Use when: (1) Implementing or debug...
⭐ 0· 90·0 current·0 all-time
byArun Nadarasa@arunnadarasa
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md describes a payment / on-chain verification integration (Arc testnet native USDC, Circle Gateway, burst scripts) — those capabilities legitimately require API keys and private keys. However the registry metadata lists no required environment variables or primary credential, which is an incoherence between the declared manifest and the capability described.
Instruction Scope
The runtime instructions reference many sensitive env vars (CIRCLE_API_KEY, CIRCLE_ENTITY_SECRET, VITE_CIRCLE_CLIENT_KEY, ARC_BURST_PRIVATE_KEY) and describe running burst scripts that use a private key. The skill is instruction-only (no code files executed by the installer), but the SKILL.md expects agents/operators to provide and use secrets; those references are not declared in the required fields, and the instructions could encourage exposing high-value secrets to an agent or developer workflow.
Install Mechanism
No install spec or binary downloads are present (instruction-only). Installation guidance is a git clone + copy into ~/.openclaw/skills or use ClawdHub — low-risk from an installer perspective (no archive downloads or arbitrary external binaries).
Credentials
The SKILL.md expects multiple sensitive variables (Circle API/Entity secrets and a machine private key for 'burst' CLI use). Those are proportionate to a payment/proxy skill technically, but the manifest does not declare them as required and there is no primaryEnv. ARC_BURST_PRIVATE_KEY in particular is highly sensitive; the skill implies it will be used on-machine which requires explicit caution and stronger manifest declaration.
Persistence & Privilege
The skill is not marked always:true and does not request persistent or system-wide privileges. It is user-invocable and allows autonomous invocation by default (normal for skills) but does not request elevated platform privileges in the metadata.
What to consider before installing
This skill appears to implement a small payments stack and legitimately needs Circle API keys and a test private key, but the package metadata does not declare any required credentials — an inconsistency you should resolve before installing. Before you proceed: (1) Inspect the referenced GitHub repo code yourself (https://github.com/arunnadarasa/dancearc) to confirm what the server actually does; (2) do not supply production API keys or real private keys — use ephemeral/test accounts and testnet keys only; (3) require the publisher to update the skill manifest to explicitly declare required env vars so the platform can protect those secrets; (4) avoid running npm run burst with any private key on a machine that holds real funds; (5) if you don't trust the source, run in an isolated environment or skip installing. If the author supplies a signed, audited release and the manifest is corrected to declare required secrets, the skill is more transparent and easier to evaluate.Like a lobster shell, security has layers — review code before you run it.
latestvk974293008zdytf2knh7v9zbjx83cggz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.