Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Liberfi Auth
v1.0.0Authenticate with LiberFi: register a new account, log in, manage session state, and verify wallet assignments. Two login modes are supported: 1. Key-based (...
⭐ 0· 35·0 current·0 all-time
by@bombmod
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md clearly describes an 'lfi' CLI-based authentication flow (key- and email-OTP login) and local session/key files under ~/.liberfi, which is coherent with the stated purpose. However, the skill registry metadata lists no required binaries or install steps while the runtime instructions rely on an 'lfi' executable and reference a shared bootstrap.md. The homepage field in the registry metadata is listed as 'none' but SKILL.md metadata includes 'https://liberfi.io' — these mismatches reduce confidence.
Instruction Scope
Instructions explicitly read/write sensitive local files (~/.liberfi/session.json, ~/.liberfi/keys/*.json) and call network endpoints (/v1/auth/key). That behavior is expected for an auth CLI. The SKILL.md also instructs automated agents to always use key login and to never block on OTP, which is appropriate. Concern: it references ../shared/bootstrap.md for CLI installation but that file is not present in the package, so the agent may be missing installation/connectivity guidance.
Install Mechanism
There is no install spec (instruction-only), which is low-risk in general — but SKILL.md requires the 'lfi' CLI and points to an external bootstrap.md. The skill does not declare the 'lfi' binary as required, nor does it include installation instructions or a link in the registry metadata. This gap is an incoherence: either the registry should declare the binary dependency or the instructions should embed installation steps or a trustworthy download link.
Credentials
The skill requests no environment variables or external credentials in the registry metadata. The SKILL.md relies on local key files and the CLI to obtain a JWT from the LiberFi server — that is proportionate to an auth helper. No unrelated secrets or config paths are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It stores session and key files under the user's home directory as expected for a CLI auth flow. There is no evidence it modifies other skills or global agent configuration.
What to consider before installing
This skill appears to be an instruction-only adapter for the 'lfi' CLI and manages local keys and a JWT in ~/.liberfi. Before installing or using it: 1) Verify the provenance — confirm the 'liberfi' project and its CLI (https://liberfi.io) are legitimate and that you trust the publisher; 2) Ensure the 'lfi' binary is actually installed from a trusted source (the SKILL.md references a bootstrap.md that isn't included here); 3) Confirm you are comfortable with a local private P-256 key being written to ~/.liberfi/keys/default.json (0600) and a JWT in ~/.liberfi/session.json; 4) Ask the author/publisher to fix the package metadata to declare the 'lfi' binary dependency or include explicit, verifiable install instructions; 5) If you plan to run this in an automated agent, follow the skill's advice to use key login and never block on OTP. If you cannot verify the CLI's origin or the missing bootstrap instructions, treat the package as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk971f97th3cw0axn116thv8v5h842r6p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.