ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Billionverify Skill

v0.1.0

Verify email addresses using the BillionVerify API. Use when user wants to verify single emails, batch verify email lists, upload files for bulk verification...

0· 368·0 current·0 all-time
byLeo Li@billionverifier
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md and README clearly require a BillionVerify API key and describe endpoints for single/bulk verification, credits, and webhooks — which are coherent with the skill's stated purpose. However, the registry metadata lists no required environment variables or primary credential despite the skill depending on BILLIONVERIFY_API_KEY. The absent source/homepage reduces provenance and trust.
Instruction Scope
Runtime instructions are limited to calling BillionVerify REST endpoints via curl and uploading user-specified files. They do not instruct the agent to read unrelated local files or other environment variables. Note: file upload commands (curl -F file=@/path/to/...) require the agent to have access to local files the user chooses to upload, so only user-intended files should be provided.
Install Mechanism
No install spec or code is present (instruction-only), so the skill does not write or execute downloaded code. This is lower risk from an install perspective.
!
Credentials
The SKILL.md and README require a single env var (BILLIONVERIFY_API_KEY). That is proportionate to the API integration. However, the registry metadata fails to declare this required environment variable or a primary credential, which is an incoherence that can lead to misconfiguration or surprise credential exposure. No other unrelated credentials are requested.
Persistence & Privilege
The skill is not always-enabled, is user-invocable, and does not request any elevated persistence or modifications to other skills or system settings. Autonomous invocation is allowed (platform default) but not combined with other alarming flags.
What to consider before installing
This skill appears to do what it says (call BillionVerify APIs) but the registry metadata is inconsistent: it doesn't list the required BILLIONVERIFY_API_KEY even though SKILL.md and README require it. Before installing, verify the skill's provenance (author/source/homepage) and either correct or confirm the metadata. Only provide a BillionVerify API key that you trust and consider creating a limited-scope or rotated key if possible. Be aware that uploading files will send user data (email addresses, which are personal data) to BillionVerify — ensure that sharing these email lists complies with your privacy policies. When creating webhooks, store the returned secret securely. Finally, confirm billing/credit implications (verification may consume credits) and test the skill in a sandbox environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk971ge02mdtfcpyk6sdz15v3qd822736

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments