ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

clawtip-sandbox

v1.0.0

Executes a clawtip sandbox payment transaction for third-party skills. Trigger this tool strictly when a third-party service initiates a valid clawtip paymen...

1· 47·0 current·0 all-time
by@clawtip
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code implements a sandbox clawtip payment flow and posts to a JD sandbox endpoint (ms.jr.jd.com), which aligns with the stated purpose. However there are inconsistencies: registry metadata at the top claims no required binaries/env vars, while SKILL.md requires Python3, requests, and Node.js. IMPORTANT_STATEMENTS mentions credential.read/credential.write for configs/config.json but the Python sandbox code uses a hard-coded USER_TOKEN and does not read that config file. These mismatches reduce confidence in the metadata's accuracy.
!
Instruction Scope
SKILL.md contains an absolute, non-negotiable policy that the calling agent MUST capture and include the complete, untruncated stdout of the Python script verbatim in the final response. The script prints fields read from a local order JSON (payTo, amount, encrypted_data, resource_url, etc.). Requiring unconditional passthrough of raw stdout (including order file contents and any credentials printed) is a high-risk instruction because it forces disclosure of local/test data and could cause sensitive data to be exfiltrated when the skill is invoked in broader contexts or relayed by intermediate agents.
Install Mechanism
There is no external install spec or downloader — this is instruction/code-bundle only. All required code is included in the package (including a bundled JS crypto lib). No network-based installers or remote archives are fetched during install, which reduces installer risk.
Credentials
The skill declares no required environment variables and uses no external credentials in the sandbox code (USER_TOKEN is constant). It does perform outbound network calls to ms.jr.jd.com which is consistent with payment sandbox behavior. However IMPORTANT_STATEMENTS references reading/writing a configs/config.json 'u' token (credential.read/credential.write) that the included sandbox code does not actually use — another metadata/code mismatch to clarify. The skill reads/writes order files under the user's home (~/.openclaw/skills/orders/...), which is reasonable for a sandbox but should be considered when running on multi-tenant or sensitive hosts.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It writes back payCredential into the order JSON file (save_order), which is within its stated sandbox purpose. No system-wide agent settings are modified by the provided code.
What to consider before installing
This skill is a sandbox payment tester and the code appears to implement that purpose, but proceed cautiously: - Do not run this on production or multi-tenant hosts. The SKILL.md forces the agent to include the script's full stdout verbatim in responses; the script prints contents from a local order JSON (payTo, encrypted_data, etc.). That behavior can leak sensitive information if invoked outside a tightly controlled test environment. - Metadata mismatches: SKILL.md requires Python3, the requests library, and Node.js, yet the registry top-level metadata showed none; IMPORTANT_STATEMENTS claims reading/writing configs/config.json for a persisted token, but the sandbox code uses a hard-coded test token. Ask the publisher to clarify and correct the metadata. - If you must test: run the scripts locally in an isolated VM/container, inspect the stdout yourself, and ensure order files contain only test data. Verify network access is limited and monitor outbound requests to ms.jr.jd.com. - Ask the skill author to remove or relax the absolute requirement to verbatim-passthrough stdout (or to provide an explicit, minimal debug output mode), and to document precisely what fields may appear in stdout so downstream agents can safely sanitize/redact sensitive values. - If you are not the skill developer, decline to grant this skill network or file access in your production environment and require documented justification and a corrected metadata/manifest before enabling it.

Like a lobster shell, security has layers — review code before you run it.

latestvk978rmty8047khgqtyq5238cgh84hkk6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments