Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
OpenDexter
v1.0.0Use OpenDexter to search, price-check, and pay for any x402 API. Trigger whenever the user wants to find paid APIs, call an x402 endpoint, check pricing, see...
⭐ 0· 48·0 current·0 all-time
byBranchM@branchmanager69
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose is to search, price-check, and automatically pay x402 APIs using USDC across chains. Paying onchain requires wallet access (private keys, a signing provider, or an external wallet integration), but the package declares no environment variables, config paths, or credentials to enable signing or fund access. That is a core capability/requirement mismatch.
Instruction Scope
SKILL.md instructs the agent to inspect configured wallets, check balances across multiple chains, auto-select the cheapest chain, and perform payments. Those instructions implicitly require reading or using wallet credentials and performing transactions, but the skill gives no guidance where those wallets come from or how user consent/approval is handled.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by the skill itself. That lowers some risk, but it also means the runtime behavior depends entirely on the agent environment (where the missing wallet integration would live).
Credentials
No env vars, primary credential, or config paths are declared even though the functionality logically requires access to wallet credentials or a signing service. The absence of any declared credential is disproportionate to the claimed ability to sign and submit payments across multiple chains.
Persistence & Privilege
The skill does not request always-on presence and does not declare modifications to other skills or system-wide configs. Autonomous invocation is allowed by platform default but the skill does not request elevated persistence.
What to consider before installing
Before installing, ask the publisher how wallet access and signing are handled: where are private keys stored, does the skill require the agent to have direct access to your wallet, and will each transaction require explicit user approval? Prefer skills that document the signing flow (e.g., use of an external wallet provider or prompt-based signing), publish source code or a homepage, and support per-call spending limits or mandatory confirmations. Because this skill has no source/homepage and declares no credential requirements while promising automatic payments, treat it as unproven and avoid granting it wallet or signing access until you can verify its implementation and safety.Like a lobster shell, security has layers — review code before you run it.
latestvk97fcabhgv1xr795hs52s9skxx84gh0e
License
MIT-0
Free to use, modify, and redistribute. No attribution required.