Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description promise continuous, API-integrated NFT monitoring, but the package is instruction-only with no install/runtime implementation. It declares required binary 'curl' (reasonable for HTTP calls) but provides no concrete list of APIs/endpoints or credentials required. 'primaryEnv' set to 'bash' is not a valid environment-variable credential name and is inconsistent with the described purpose.
Instruction Scope
SKILL.md is high-level and vague: claims 7x24 automated execution and API integration but gives no commands, no cron/service setup, no target endpoints, and no guidance about what credentials to use. This vagueness grants the agent broad discretion (which APIs to call, what to post, what data to collect), increasing risk.
Install Mechanism
There is no install spec and no code files (instruction-only), which reduces direct risk of arbitrary downloads. However SKILL.md references 'clawhub install nft-monitor' but provides no details about what that does; the install step may be external and unknown to reviewers.
Credentials
The skill declares no required environment variables, yet metadata lists 'primaryEnv: bash' (nonsensical — 'bash' is not an env var/token name). Lack of declared credentials is inconsistent with the stated API integrations; a monitoring skill would normally require API keys or RPC endpoints. This mismatch is unexplained and concerning.
Persistence & Privilege
The skill is not flagged 'always: true' and follows the default (agent-invocable, can be used autonomously). There is no evidence it requests system-wide persistence or modifies other skills. The claim of continuous operation is unimplemented rather than privileged.
Scan Findings in Context
[no_regex_findings] expected: The static scanner found no code to analyze (instruction-only SKILL.md and README). That absence is expected for an instruction-only skill, but it means there is no programmatic behavior to validate — only the prose instructions to evaluate.
What to consider before installing
This skill's description promises automated, API-driven NFT monitoring, but it gives no concrete instructions, endpoints, or credential requirements and the metadata contains an invalid 'primaryEnv' value ('bash'). Ask the author for: (1) exact APIs/endpoints used and why, (2) what credentials the skill needs and how they are stored, (3) precise install and runtime instructions for the 24/7 behavior (service/crontab/container), and (4) clarification/fix of the 'primaryEnv' entry. Do not install unless you can confirm which external services it talks to and what secrets (if any) are required. If you must test, run in a restricted environment and monitor outbound network calls.Like a lobster shell, security has layers — review code before you run it.
latestvk979wtedqgwg6n08cxq9yqf4ch83fc40
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binscurl
Primary envbash