ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

KYC & Identity

v1.0.1

Know-Your-Customer verification via MasterPay Global. Submit personal data, upload identity documents, and track approval status.

0· 212·0 current·0 all-time
by@d9m1n1c
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's endpoints and flows match a KYC/identity workflow (profile, upload documents, submit KYC). However, the registry metadata marks AIOT_API_BASE_URL as the primary credential, which is unusual — a base URL is not a secret credential. The skill also hardcodes a default dev API URL (https://payment-api-dev.aiotnetwork.io), which is unexpected for a production-facing KYC skill and could lead to accidentally sending PII to a development environment.
!
Instruction Scope
The SKILL.md stays within KYC tasks (create user, update profile, upload docs, poll status) but repeatedly requires authenticated calls and instructs the agent to "verify the session has a valid bearer token" and to prompt for transaction PINs. The skill does not document how authentication tokens are obtained, stored, or provided (no required env var or auth flow described). That missing auth specification is a scope/integration gap: the agent will need access to bearer tokens or session state not declared by the skill.
Install Mechanism
Instruction-only skill with no install spec or code files. This is the lowest-risk install model — nothing is downloaded or written to disk by the skill itself.
!
Credentials
The skill declares only AIOT_API_BASE_URL as a required env var and even lists it as the primary credential. It does not declare any token/secret env var for bearer tokens or API keys, yet the API endpoints require auth. Asking for only a base URL (and treating it as the primary credential) is disproportionate and inconsistent with the stated need to authenticate; it's unclear where the bearer token comes from (platform session, another skill, implicit user input).
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It does not request system paths, nor does it attempt to persist configuration or modify other skills. No elevated persistence privileges are requested.
What to consider before installing
This skill claims to perform KYC flows and will handle sensitive personal data and identity documents. Before installing or using it, ask the publisher: (1) Where do bearer tokens or API credentials come from? The skill asks you to verify a 'valid bearer token' but does not declare any token env var or auth setup — confirm how authentication is provided and secured. (2) Why is the primaryEnv set to AIOT_API_BASE_URL (a URL, not a secret)? That looks like a misconfiguration. (3) Confirm the target API base URL: the default points to a development host (payment-api-dev.aiotnetwork.io). Do not upload real PII to a dev endpoint; insist on a validated production endpoint and data-handling policy. (4) Verify the skill owner's identity, privacy/retention policies, and compliance (handling of PII, retention, who can access uploaded documents). (5) Request explicit documentation of where transaction PINs and bearer tokens are stored, whether the platform will log them, and whether uploads are encrypted in transit and at rest. If the author can provide a corrected primaryEnv (e.g., a token name), a clear auth flow, and a confirmed production base URL, that would address the main concerns and could raise confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cq03g26xbdja626fv2f4grx839ax5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvAIOT_API_BASE_URL
Primary envAIOT_API_BASE_URL

Comments