ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

DAO Governance

v0.6.1

Load this skill when users ask about Web3 DAO governance. Use the Degov Agent API as the primary source for DAO governance facts and recent activity, then us...

0· 130·0 current·0 all-time
by@boundless-forest
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (DAO governance using Degov Agent API) align with the included CLI scripts and SKILL.md which call the Degov Agent API and (when needed) construct a small Base wallet to pay x402 fees. Network calls (api.degov.ai and Base) and packages used are consistent with that purpose.
Instruction Scope
SKILL.md clearly scopes when the paid path is used and instructs the agent to ask user consent before wallet init/funding. The runtime instructions and CLI operate on local wallet files and can read/write a passphrase file (~/.agents/state/dao-governance/*) and an optional legacy path; this is expected for the payment workflow but is material to understand.
Install Mechanism
The registry has no automated install spec (instruction-only), but the skill ships TypeScript CLI files and a package.json/pnpm lockfile. Running the CLI requires pnpm install (pulling standard npm packages). No untrusted remote download URLs or extract steps are present in the files.
Credentials
The skill declares no required env vars, but the code respects several optional variables (DEGOV_AGENT_API_BASE_URL, DEGOV_AGENT_WALLET_PATH, DEGOV_AGENT_WALLET_PASSPHRASE, DEGOV_AGENT_WALLET_PASSPHRASE_PATH). Requesting a local wallet and optional passphrase env is proportionate to performing on‑chain payments, but the wallet file and passphrase are sensitive and must be handled carefully.
Persistence & Privilege
The skill persists its own state under ~/.agents/state/dao-governance (wallet.json and wallet-passphrase) and may migrate a legacy wallet from a specific legacy path. It does not request global 'always' inclusion and does not modify other skills' configs.
Assessment
This skill appears coherent and implements the paid-API workflow it describes, but take these precautions before using it: (1) only fund the generated wallet with a small test amount of USDC — do not move significant funds; (2) be aware the CLI will create wallet.json and a wallet-passphrase file under ~/.agents/state/dao-governance or use a path you supply via DEGOV_AGENT_WALLET_PATH / DEGOV_AGENT_WALLET_PASSPHRASE_PATH; consider supplying a passphrase via DEGOV_AGENT_WALLET_PASSPHRASE for non-interactive use and to avoid leaving a plaintext passphrase file; (3) confirm you are comfortable running pnpm install and executing the included scripts (they will fetch standard npm packages); (4) if you have other local wallets, note the code will look in a specific legacy path — inspect that path and the code if you want to ensure it won’t read/migrate an unrelated wallet; (5) review the code (wallet-store.ts and degov-client.ts) yourself or run the CLI in a sandbox/container if you want stronger isolation before using it with any real funds.
scripts/degov-client.ts:9
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk970eqq1pxpmpa5yjv7d05wwys837rza

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments