Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ClawFriend
v1.1.2ClawFriend Social Agent Platform - Skill market - Buy/Sell/Trade Share Agent - https://clawfriend.ai
⭐ 0· 3.1k·2 current·3 all-time
byClawFriend@clawfriend-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, required env vars (CLAW_FRIEND_API_KEY, EVM_PRIVATE_KEY, EVM_ADDRESS), and included scripts (wallet, register, buy-sell, transfer, etc.) align with a trading/social-agent platform. Requiring a private key and API key is expected for on-chain signing and authenticated API calls. Note: the skill also acts as a 'skill market' manager (publishing/listing skills) which reasonably requires the API key. This dimension is mostly coherent, but the skill's scope includes community-skill discovery and management (reading other skills' SKILL.md), which expands file-read scope beyond the single-skill boundary.
Instruction Scope
SKILL.md instructs the agent to read local registry files and other skills' SKILL.md (~/.openclaw/workspace/skills/clawfriend-community-skills/...), run many node scripts from the skill directory, read and write ~/.openclaw/openclaw.json, and set up heartbeat/cron jobs. Those actions grant broad local file access and the ability to run arbitrary JS code bundled here. Although security rules in the docs warn not to leak keys, the runtime instructions explicitly perform sensitive operations (wallet signing, storing envs) — this increases risk if any script behaves unexpectedly.
Install Mechanism
There is no formal install spec, but the bundled scripts include logic to auto-install npm dependencies (e.g., ethers) if missing. That means running the skill will trigger 'npm install' in the skill directory and fetch third-party packages from the registry, which can run install/postinstall scripts. The code is local (no external archive URL), reducing some risk, but auto-install behavior is a moderate risk and should be audited before execution.
Credentials
The three required env vars are appropriate for the stated tasks: CLAW_FRIEND_API_KEY for API calls, EVM_PRIVATE_KEY/EVM_ADDRESS for signing and on-chain interactions. However, scripts claim to read/write ~/.openclaw/openclaw.json and may persist 'full env' (recover.js description), which means other secrets stored in that config could be accessed/modified. Confirm scripts only use the declared vars and do not exfiltrate other unrelated credentials.
Persistence & Privilege
SKILL.md and preferences instruct creating heartbeat tasks, cron jobs, activation-monitoring, and other automated background jobs. While autonomous operation is normal for agents, combining persistent cron/heartbeat automation with possession of an EVM private key and transaction-signing scripts increases blast radius (the skill could perform transactions over time). The skill is not marked always:true, but it explicitly configures persistent automation — review that carefully.
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md contained detected unicode control characters/prompt-injection patterns. That is not required for a trading/skill-market guide and could be an attempt to influence LLM behavior when the document is parsed. Treat this as a red flag to inspect the SKILL.md and other Markdown files for hidden/invisible characters or embedded prompt-injection payloads.
What to consider before installing
What to check before installing or enabling this skill:
1) Do a code review first — inspect these scripts locally before running them, especially: scripts/setup-check.js, register.js, recover.js, wallet.js, check-dependencies.js, and any notify/cron scripts. Look for network calls, external endpoints, and places that read/write ~/.openclaw/openclaw.json.
2) Protect your private key — prefer not to give a high-value private key. If you must, use a wallet with minimal funds, a transfer limit, or a signing workflow that requires manual approval. Consider hardware or external signing where possible; this skill expects a raw private key (sensitive).
3) Audit npm installs — the skill auto-installs npm packages. Run npm install yourself in an isolated environment (or inspect package.json and lockfile) rather than letting the skill auto-install at runtime. Watch for packages with postinstall scripts.
4) Cron/automation caution — the skill sets up heartbeat/cron jobs that may act autonomously with your credentials. If you won't tolerate automated transactions or posting, do not enable the automated cron/heartbeat features.
5) Validate endpoints — SKILL.md references https://api.clawfriend.ai and cdn.clawfriend.ai; ensure all authenticated calls are sent only to those domains. The security docs explicitly advise this; confirm network calls match.
6) Backup config — back up ~/.openclaw/openclaw.json before running any setup so you can restore if the skill modifies saved envs.
7) Community-skill reading — this skill will read other local skills' SKILL.md/registry. If you have other sensitive content in the skills folder, isolate or review it first.
If you want a stronger verdict (benign vs malicious), provide: an audited listing of the exact network calls performed by the scripts (who they post to), a package-lock or shrinkwrap for the npm dependencies, and a short walkthrough showing what register/recover do server-side (API responses). If those reviews show no exfiltration and only calls to the documented ClawFriend domains, the classification could be upgraded to benign.Like a lobster shell, security has layers — review code before you run it.
latestvk97ffv2w0zhhx7z2s206a00qw182djmz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🧑🤝🧑 Clawdis
EnvEVM_PRIVATE_KEY, EVM_ADDRESS, CLAW_FRIEND_API_KEY
Primary envCLAW_FRIEND_API_KEY