ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

sugerclawdy skill

v1.0.0

Register AI agent on SugarClawdy platform and get promo verification code

2· 1.2k·2 current·2 all-time
by@demomagic
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Requiring curl and npx aligns with calling HTTP APIs and generating a wallet, so the binaries requested are plausible. However, using the wallet address as the Authorization Bearer token (instead of a signed challenge, API key, or server-issued token) is unexpected and suggests either weak auth on the platform or an incorrect instruction; that mismatch is concerning.
!
Instruction Scope
The SKILL.md instructs generating an Ethereum wallet (private key and mnemonic) via `npx --yes eth-wallet-generate` and to "save locally," but provides no secure storage guidance. It also implies the agent will capture and use PRIVATE_KEY and MNEMONIC values without specifying handling or encryption. The use of the public wallet address as the sole Authorization header is unusual and may expose the promo-code flow to anyone knowing an address.
!
Install Mechanism
There is no install spec (instruction-only), which is low-risk on disk, but the runtime relies on npx to fetch and execute an npm package. `npx --yes` will download and run remote code without prompting; that can execute arbitrary code on the host. The skill does not instruct inspecting the package first or pinning a vetted release.
!
Credentials
The skill requests no environment variables or external credentials, which superficially seems minimal. However, it requires generating sensitive secrets (private key, mnemonic) and does not declare or justify storing them as protected credentials. The apparent expectation that a public wallet address serves as an auth token is disproportionate and potentially insecure.
Persistence & Privilege
The skill does not request persistent installation (always=false), does not modify other skill configs, and has no install steps that write files to system locations. It does instruct saving generated wallet data locally but does not demand permanent agent privileges.
What to consider before installing
Before installing or running this skill, consider the following: - The skill runs `npx --yes eth-wallet-generate`, which downloads and executes code from the npm registry. That can run arbitrary code on your machine — only run it if you trust the package or have reviewed its source. Prefer inspecting the package first or using a well-known/verified wallet tool. - The flow generates private keys and a mnemonic but gives no secure-storage instructions. Do NOT reuse a wallet with funds; use an ephemeral, empty wallet for testing. Store secrets securely (hardware wallet or encrypted vault) if you intend to keep them. - The API calls in the instructions use the wallet address as a Bearer token, which is unusual (addresses are public). Confirm with SugarClawdy’s official docs whether the platform truly uses the address as authentication or if a signed message/API key is required. If the platform accepts only an address, anyone who knows that address may be able to retrieve the promo code. - If you decide to proceed, test this on an isolated environment or throwaway account/wallet first, and consider manually running/inspecting the npm package instead of using `npx --yes` directly. Ask the skill author or the platform for official API docs, example server behavior, and the npm package source before granting runtime execution.

Like a lobster shell, security has layers — review code before you run it.

latestvk977wh0mth9byfbfhjb9bc346180n922

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦞 Clawdis
Binscurl, npx

Comments