Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
RumbleTipAI
v2.0.1Autonomous AI agent that tips Rumble.com creators in cryptocurrency based on watch time, with smart splits, community pools, event-triggered tipping, and con...
⭐ 1· 79·0 current·0 all-time
byDev-me@dev-me4
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description match required node packages (@tetherto/wdk and wallet plugins) and the skill's tipping/wallet features — these dependencies are plausible for a tipping agent. Minor inconsistencies: SKILL.md calls the OpenAI API key "optional" in the setup section, while registry metadata lists OPENAI_API_KEY as required/primary.
Instruction Scope
Instructions tell the agent/extension to inject content scripts into rumble.com, track watch time, and "silently extract wallet addresses via Rumble's HTMX endpoints." That phrasing implies stealthy data collection. The skill also instructs generating/importing a BIP-39 seed and managing wallets in-browser — sensitive operations that require strong guarantees about local storage, signing, and no exfiltration. Because this is an instruction-only skill with no code files to audit, those behaviors cannot be verified.
Install Mechanism
Install metadata requests three npm node packages scoped to @tetherto. Installing wallet libraries is expected for in-extension wallet functionality. However, the packages and publisher are not widely known here (moderate trust risk). No remote arbitrary download URLs are present, which reduces high-risk install concerns, but the platform will fetch third-party packages for execution in the agent environment.
Credentials
Only OPENAI_API_KEY is requested, which is reasonable for AI reasoning. However, SKILL.md claims the key is optional while the registry marks it required and primary — this inconsistency matters because providing the key allows the skill to send decision context to OpenAI (potentially including watch time, creator identifiers, and wallet metadata). The skill also instructs handling of BIP-39 seed phrases (sensitive secret material) but does not declare how/where they are stored or whether they ever leave the browser context.
Persistence & Privilege
always is false and there are no requested system-wide config paths or credentials for other services. The skill is user-invocable and can run autonomously (platform default), which is expected for an agent plugin.
What to consider before installing
Key issues to consider before installing: (1) This skill will manage BIP-39 seed phrases and perform on-chain transactions in a browser extension — only use a wallet with small, expendable funds unless you can inspect the extension code. (2) The SKILL.md says the OpenAI key is optional, but the registry marks it required — if you supply your key the agent may send contextual data (watch time, creator IDs, maybe addresses) to OpenAI; confirm what data is sent and whether you’re comfortable with that. (3) The instructions explicitly say it will "silently extract wallet addresses" from Rumble pages — ask the publisher to clarify what "silently" means and to provide audited source code showing where sensitive data is stored, how signing is done (local-only vs remote), and what telemetry/network calls occur. (4) Verify the npm packages (@tetherto/*) are trustworthy (review their source, maintainers, and recent releases). (5) If you proceed, prefer a dedicated low-value account or a hardware wallet-supported flow, and request the extension’s full source for review or a privacy/security policy explaining data flows.Like a lobster shell, security has layers — review code before you run it.
latestvk976p1v4bhzdq00556tbczwgn583fjp2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💸 Clawdis
EnvOPENAI_API_KEY
Primary envOPENAI_API_KEY
Install
Node
npm i -g @tetherto/wdkNode
npm i -g @tetherto/wdk-wallet-evmNode
npm i -g @tetherto/wdk-wallet-btc