ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

USD1 Transaction

Securely transfer USD1 (USDC on Wormhole) between wallets using Wormhole Liquidity Facility on Testnet by default.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1.1k · 0 current installs · 0 all-time installs
by@asgherali
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md and index.js align: both describe transferring USD1/USDC over Wormhole Testnet and the code uses @wormhole-foundation SDK to perform a token transfer. However the registry metadata lacks a public description, homepage, or author — reducing provenance and making it harder to trust the publisher.
!
Instruction Scope
The runtime instructions and code require the user's wallet privateKey as an input parameter (required). That is coherent for a transfer skill, but it means the agent runtime will receive a raw private key. SKILL.md cautions to use secure input and Testnet only, which is good, but the instructions give the agent direct access to a secret that controls funds — a significant risk if the agent environment or skill execution is compromised.
Install Mechanism
There is no install spec (instruction-only style) but the package.json/package-lock are bundled and list @wormhole-foundation SDK dependencies and many transitive packages. No external arbitrary download URLs are used. The large dependency tree increases surface area and includes components (in package-lock) with deprecation/security notes, which should be audited before running.
!
Credentials
The skill does not request environment variables or platform credentials — instead it requires a privateKey passed at runtime. While necessary for signing a transaction, asking for a raw private key is high privilege: it grants full control of the wallet. The registry does not declare a primary credential or explain secure handling/storage of the key beyond the SKILL.md note. This is proportionate to the stated functionality but requires strong operational safeguards (use testnet only, ephemeral keys, or a signing service/hardware wallet).
Persistence & Privilege
The skill does not request always:true and does not modify system or other skills' configuration. Model invocation is allowed (default), which is normal. There is no evidence it attempts to persist credentials or change agent configuration autonomously.
What to consider before installing
This skill appears to implement a testnet USDC transfer using the Wormhole SDK and will ask you to provide a wallet private key at runtime. Before installing or using it: (1) do NOT supply a real/production private key — use a throwaway testnet wallet only; (2) review the bundled code and dependencies yourself or have a maintainer you trust audit them (package-lock includes many transitive packages and some deprecation notes); (3) prefer designs that use delegated signing (e.g., signing service, hardware wallet, or ephemeral key signing) rather than handing raw private keys to a skill; (4) verify the skill author and source (there is no homepage or author metadata here). If you must test it, create a testnet wallet with minimal funds and monitor transactions closely.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
cryptovk97eyrbe66g8cg2mx28q3e4k1s80jbbclatestvk97eyrbe66g8cg2mx28q3e4k1s80jbbcstablecoinsvk97eyrbe66g8cg2mx28q3e4k1s80jbbcusdtvk97eyrbe66g8cg2mx28q3e4k1s80jbbc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

USD1 WLF Transfer Skill

Description

Allows an agent to securely transfer USD1 (USDC on Wormhole) from one wallet to another using Wormhole Liquidity Facility (WLF).

Capabilities

  • Check sender wallet balance (optional)
  • Transfer a specified amount of USD1 to a recipient address
  • Return transaction hash and status
  • Uses Testnet by default for safety

Input Parameters

  • amount: number (required) - amount of USD1 to send (e.g. 1.0)
  • toAddress: string (required) - recipient wallet address (e.g. 0x123...)
  • chain: string (optional, default: Solana) - source chain
  • privateKey: string (secure, required) - sender wallet private key

Output

  • transactionHash: string
  • status: "success" or "failed"
  • message: string (details or error)

Security Notes

  • Never hardcode private keys
  • Use secure agent input for keys
  • Testnet only until production

Example Usage

/skill usd1-wlf-transfer amount=1.0 toAddress=0xabc123... chain=Solana

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…