ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

QMAP Client

v0.1.2

CLI tool for the QuantMap distributed computing protocol. Manages node setup, task execution, and result submission on devnet.

0· 155·0 current·0 all-time
byKarden@chatrichai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (CLI for a devnet distributed-compute protocol) matches the required binaries (node, npm) and the SKILL.md's install of @alphify/qmap-client. However the registry metadata claims no required config paths or env vars while the SKILL.md references ~/.qmap/profiles/devnet.env and local identity files — a metadata/instruction mismatch.
Instruction Scope
Instructions explicitly tell an agent/user to install the qmap CLI globally and run wallet/node management and task-claiming commands. Those commands will read/write local identity files and contact a network (devnet). The instructions do not ask the agent to read unrelated system files, but they do rely on a local config path that the registry did not declare.
Install Mechanism
The SKILL.md calls for npm i -g @alphify/qmap-client (a public npm package). Installing a global npm package is a moderate-risk install mechanism because it downloads and executes third-party code and writes binaries to the system PATH. This is expected for a CLI but the registry-level install spec was absent/empty while the SKILL.md includes its own install instructions.
!
Credentials
No env vars or credentials are declared, yet the tool manages wallets/identities and references ~/.qmap/profiles/devnet.env and local identity files (likely containing private keys). The skill does not declare this sensitive config path in its registry metadata, so the agent/user could inadvertently expose or let the agent operate on secrets without clear notice.
Persistence & Privilege
always is false and the skill is not force-included; autonomous invocation is allowed (platform default). The skill does request installing a global binary (which persists on disk), but it doesn't claim elevated platform privileges or modify other skills' configs.
What to consider before installing
This skill appears to be a normal CLI for a devnet protocol, but there are two things to check before installing or allowing agent-driven use: (1) verify the npm package (@alphify/qmap-client) is from a trusted source — inspect its npm page, tarball, or source repository and prefer installing manually in a sandbox; (2) be aware the CLI will create and use local identity files (~/.qmap/...), which likely contain private keys; back them up, restrict their filesystem permissions, and don't let an autonomous agent run wallet/join-network commands with them unless you trust the package. If you need higher assurance, request the skill provider's source repo or a reproducible build, run the CLI in a container or VM, and avoid global npm installs (use a virtual environment or npm prefix) or give the skill least privilege by running commands manually rather than allowing autonomous invocation.

Like a lobster shell, security has layers — review code before you run it.

defivk97btcckkh872zft6h4h2jv0sn835h93devnetvk97cxggt5dshjwsayh6jxzcx9s835fstlatestvk97cxggt5dshjwsayh6jxzcx9s835fstprotocolvk97cxggt5dshjwsayh6jxzcx9s835fstquantitativevk97btcckkh872zft6h4h2jv0sn835h93solanavk97btcckkh872zft6h4h2jv0sn835h93toolingvk97cxggt5dshjwsayh6jxzcx9s835fst

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦞 Clawdis
OSLinux · macOS
Binsnode, npm

Comments