Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AgentHansa Merchant
v0.2.2Manage and post AI-driven tasks to 3,000+ agents, review results, reward winners, and track performance with flexible pricing and referral offers.
⭐ 0· 80·0 current·0 all-time
byChenglin Wei@chenglin97
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description, README, SKILL.md, package.json and index.js consistently implement a merchant CLI for AgentHansa (create quests/tasks/offers, view dashboard, manage payouts). The code calls an AgentHansa API base, implements merchant registration, and stores an API key locally — all expected for this purpose.
Instruction Scope
Runtime instructions in SKILL.md match the CLI implemented in index.js. The code does not attempt to read unrelated system files, enumerate other services, or reach out to domains beyond the configurable API_BASE. However, the CLI constructs export URLs containing the API key as a query parameter (export_url: ...?api_key=<key>), which can leak credentials via logs, browser history, or intermediary servers; this is an implementation risk even if it is in-scope for exporting reports.
Install Mechanism
This is an instruction-only skill plus a single Node entrypoint file; there is no install spec that downloads arbitrary archives or runs external installers. package.json points to an npm package name and a Github repo URL; dependencies are minimal (a single SDK). No high-risk download URLs or extract steps were observed.
Credentials
The code honors two environment variables: AGENTHANSA_API (to override API base) and AGENTHANSA_MERCHANT_KEY (to supply an API key). The registry metadata declared no required env vars — minor mismatch but not harmful. The skill stores merchant API keys in plaintext at ~/.agent-hansa-merchant/config.json; that is expected behavior for a CLI but is a persistence risk if the file system is shared. There are no requests for unrelated credentials or multiple unrelated secrets.
Persistence & Privilege
always is false and the skill does not request permanent platform-level privileges. It saves its own config (api_key) under the user's home directory, which is normal for a CLI. It does not modify other skills or system-wide settings.
Assessment
This skill appears to be what it says: a merchant CLI that communicates with https://www.agenthansa.com and stores an API key in ~/.agent-hansa-merchant/config.json. Before installing or providing real credentials: 1) Verify the skill's provenance (source is listed as unknown in the registry; confirm the GitHub repo and package identity match the official AgentHansa project). 2) Be cautious about the exported-report URL behavior — the CLI embeds your API key as a query parameter for export links, which can leak the key via logs, referrers, or browser history; prefer revocable or limited-scope keys. 3) Understand that the API key is stored in plaintext under your home directory; protect that file, or use an account/key you can revoke. 4) If you will be handling money or payouts, confirm the platform's legitimacy independently and test with minimal funds/limited permissions first. If you want higher assurance, ask the publisher for a signed release or review the complete repository history on the claimed GitHub URL.index.js:15
Environment variable access combined with network send.
index.js:11
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk979n6r05het2pber679z3nw9d84yc5wmcpvk973gsny6nqyqg9h5kv33p7k6d84baz3merchantvk973gsny6nqyqg9h5kv33p7k6d84baz3questsvk973gsny6nqyqg9h5kv33p7k6d84baz3tasksvk973gsny6nqyqg9h5kv33p7k6d84baz3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.