Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Airdrop Hunter
v1.0.0空投猎人,自动发现潜在空投机会,追踪已参与项目状态。每次调用收费0.001 USDT。触发词:空投、airdrop、撸毛、白名单、空投查询。
⭐ 0· 347·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The stated purpose (discovering and tracking airdrops) matches the included script at a superficial level, but the implementation is a static local dataset (no API/chain queries). The SKILL.md claims automatic discovery and tracking, which the code does not actually implement. The README also asserts a per-call charge which is not enforced by or integrated into the code.
Instruction Scope
Runtime instructions simply run a local Python script, which is fine and limited in scope, but the SKILL.md explicitly solicits payment (0.001 USDT) and provides a wallet address with no instructions for verification or enforcement. That creates a social-engineering risk: users may be urged to send funds without technical means to validate service delivery.
Install Mechanism
No install spec is present (instruction-only with a simple bundled script). Nothing is downloaded or executed from external URLs during install, so no immediate supply-chain risk from installation.
Credentials
The skill requests no environment variables, no credentials, and the code does not read files or network resources. Requested access is proportionate to the actual (limited) functionality.
Persistence & Privilege
The skill is not always-enabled and does not request persistent/system-level privileges. It does not modify other skills or agent configuration.
What to consider before installing
Do not send money to the listed wallet address. The skill's code is a local mock dataset and does not implement any payment, network queries, or blockchain checks — the README's claim of charging 0.001 USDT appears to be a manual solicitation rather than enforced billing. If you consider using this skill: (1) run and inspect the Python file locally in an isolated environment to confirm behavior, (2) require a transparent, verifiable payment flow (receipts, on-chain transaction checks, or an integrated payment API) before sending funds, (3) prefer skills with a known author/homepage and clear privacy/payment policies, and (4) disable autonomous invocation if you do not want the agent to call this skill without explicit approval. If the author can show code or a documented mechanism that legitimately enforces the charge and performs genuine on-chain checks/APIs, the assessment could move toward benign; absent that, treat it with caution.Like a lobster shell, security has layers — review code before you run it.
latestvk979zdtteq29rrxk5dsk0d111582c9cv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.