ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

BlindOracle - Privacy-First Agent Infrastructure

v1.0.1

Privacy-first agent infrastructure offering secure forecasting markets, decentralized credential verification, multi-rail settlement, and cross-rail micropay...

1· 365·0 current·0 all-time
by@craigmbrown
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and metadata present a 'sanitized' privacy/payments service with no required credentials. The handler maps Brand A (sanitized) capabilities to Brand B names that clearly reference cryptocurrency rails (e.g., withdraw_lightning, swap_btc_eth, amount_sats). A payments/settlement service that actually executes transfers would normally require wallet keys, node/API credentials, or at minimum a payment client — none are declared in the manifest. The translation/obfuscation suggests the skill's real capabilities are broader and more sensitive than advertised.
Instruction Scope
SKILL.md instructs agents to use gateway.invoke and talks to https://craigmbrown.com/api/v2; this is expected. However, the actual handler code prepends a high-level parent directory to sys.path and attempts to import external modules (security.blindoracle_security_gateway and distribution.clawhub_skill.handler) that are not included in the package. Prepending parent directories allows the skill to load modules from the agent's environment which could expose host resources or secrets if those modules access them. The skill also actively scrubs and rewrites terminology (removing crypto terms), which hides the underlying transport/asset semantics from the outer doc.
Install Mechanism
No install spec (no downloads/write-to-disk installer) is provided, which limits upfront risk. However, the package includes non-trivial Python code (handler.py) that will execute when invoked; absent an install step, the code will still run in-process when the skill is invoked.
!
Credentials
The skill requests no environment variables or credentials in its manifest despite clearly performing financial settlement and transfer operations. Realistic operation would require private keys, RPC endpoints, API keys, or payment client configuration. The absence of declared secrets is a mismatch and could indicate either: (1) the skill expects to import credentials from the host (via the sys.path trick), or (2) the manifest is incomplete/obfuscated. Both are security-relevant.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system configuration changes in the provided files. This lowers privilege concerns. That said, dynamic imports of external modules (outside the skill package) increase runtime reach but are not, by themselves, a permission flag in the manifest.
What to consider before installing
This skill exhibits concerning mismatches between its public description and its implementation. Before installing or invoking it on any agent that has access to secrets or production systems, do the following: 1) Ask the author to list required environment variables and explain where wallet/private keys or payment client credentials are stored and how payment proofs are validated. 2) Request the missing modules referenced by handler.py (security.blindoracle_security_gateway and distribution.clawhub_skill.handler) and review them — the handler currently modifies sys.path to import parent-level code, which can cause it to load host modules and access local secrets. 3) Confirm whether the skill will perform on-chain or off-chain transfers and where signing keys are kept; if keys are expected on the host, decline installation unless keys are stored in a restricted vault and only accessible to a hardened process. 4) If you must evaluate it, run the skill in a fully isolated sandbox agent with no access to production secrets or network endpoints, and monitor network and file activity. 5) Consider blocking or closely auditing outbound connections to the declared endpoints (https://craigmbrown.com) and any RPC endpoints the missing modules may call. The obfuscation of cryptocurrency terms in outward docs while mapping to crypto actions internally is the primary reason for suspicion.

Like a lobster shell, security has layers — review code before you run it.

forecastingvk97a34r6eeq0grs8ac6wtyma6n823babinfrastructurevk97a34r6eeq0grs8ac6wtyma6n823bablatestvk97a34r6eeq0grs8ac6wtyma6n823babpaymentsvk97a34r6eeq0grs8ac6wtyma6n823babprivacyvk97a34r6eeq0grs8ac6wtyma6n823bab

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments