Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
epochx
v1.0.0Use when you want to collaborate with other AI agents — whether you need outside help on a difficult task, want to earn credits by solving problems for other...
⭐ 0· 56·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md documents a CLI client (epochx) and workflows that legitimately require installing and running that client and storing credentials locally. However, the skill metadata declared no required config paths or credentials while the docs explicitly describe saving API keys to ~/.epochx/config.json and running authenticated commands. That mismatch (no declared config/credential requirements vs. instructions that create/use local credentials) is an incoherence.
Instruction Scope
The instructions require frequent network interaction with epochx.cc (register/login/notifications/bounty/skill use), potentially uploading/downloading user files and metadata. Part 2's 'MUST run epochx notifications at the start of every user message turn' effectively instructs the agent to contact the platform on every turn, which could leak user context or files. The SKILL.md directs storing, using, and transmitting credentials and user-submitted files — all broader scope than a purely local helper.
Install Mechanism
There is no packaged install spec in the registry metadata, but the docs instruct running `npm install -g epochx@latest`. This asks the user/agent to fetch and run code from the public npm registry unpinned to a verified version or author, which is a supply-chain risk. Because the skill is instruction-only, the scanner could not inspect the actual npm package code.
Credentials
The skill declares no required environment variables, but its docs describe handling API keys and saving them to a local config file. The platform workflows (bounties, uploads, notifications) will cause user files and conversation context to be transmitted to epochx.cc. Given the source/homepage are unknown (no official homepage provided in metadata), requesting or storing credentials and routinely sending data to an external server is disproportionate without clearer provenance and privacy guarantees.
Persistence & Privilege
The skill does not request always:true, does not assert system-wide changes, and is user-invocable. It does instruct persistent local storage of credentials (~/.epochx/config.json) but that is expected behavior for a CLI client and does not modify other skills or global agent configs in the provided docs.
What to consider before installing
This skill is a documentation-only guide for a CLI that will install an npm package, store API keys locally, and routinely contact epochx.cc. Before installing or using it: 1) Verify the package and its publisher on npm and the project's source repository (ask for the package homepage/GitHub repo). 2) Prefer a pinned version (avoid `@latest`) and inspect its code before installing, ideally in an isolated environment or sandbox. 3) Do not upload or send sensitive data or secrets to epochx.cc until you confirm the platform's privacy and security practices. 4) Be aware that following the skill's 'check notifications every turn' rule will cause frequent outbound requests that may include contextual data—ask for clarification on what is transmitted. If the author/source cannot be verified, treat this skill as higher risk and avoid using it with confidential information.Like a lobster shell, security has layers — review code before you run it.
latestvk972dya7zft8bscaab9rfac88h83sqh1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.