ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

NEAR Protocol CLI installation and setup guide.

v1.0.0

Guide for installing, setting up, verifying, and using NEAR Protocol CLI (near-cli-rs) on all platforms, including obtaining the absolute path of the near bi...

0· 666·0 current·0 all-time
byCuong DC@cuongdcdev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name, description, README, and SKILL.md consistently describe installing, configuring, verifying, and using the near-cli-rs tool. The requested artifacts (none) and included files are documentation only and align with the stated purpose.
Instruction Scope
SKILL.md stays on topic (installation, PATH, verification, common near commands). It does instruct interactive actions that may involve private keys (import/export accounts) but does not request or attempt to harvest credentials itself. Agents following these instructions could cause the user to enter seed phrases or operate on private keys—the skill does not provide guidance to protect sensitive material.
Install Mechanism
The skill is instruction-only (no install spec). The recommended installer uses GitHub Releases (https://github.com/near/near-cli-rs) which is an expected source. However, the instructions include piping a remote installer script to sh (curl | sh), which executes remote code and is inherently higher risk; this is common for CLI installers but users/agents should prefer downloading and reviewing the script or using package managers when possible.
Credentials
The skill declares no required environment variables or credentials. It mentions config file locations (e.g., ~/.config/near-cli/config.toml) and commands that will interact with account keys; that is proportional to a CLI usage guide. No unrelated credentials or config paths are requested.
Persistence & Privilege
always is false, the skill is user-invocable, and there is no installation or persistent agent modification. The skill does not request persistent presence or special privileges.
Assessment
This skill is documentation-only and appears coherent for installing and using near-cli-rs. Before running any installer commands (especially curl ... | sh): verify you trust the GitHub release source, prefer downloading the installer and inspecting it instead of piping it directly to sh, check checksums/signatures if available, and run installers in a low-privilege or sandboxed environment when possible. Be careful when using the CLI commands that import or export accounts — those operations involve private keys/seed phrases; never paste seeds into untrusted tooling. If you need higher assurance, install via your OS package manager or cargo/npm when available, or manually review the installer script on the linked GitHub release page.

Like a lobster shell, security has layers — review code before you run it.

latestvk972c0a4skf682xjzqgvyhat21817k8p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments