Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Smartclaws Producer
v1.0.1Set up IoT sensors and publish data to SKALE blockchain via SmartClaws. Use when: setting up smartclaws, registering devices, connecting sensors, publishing...
⭐ 0· 84·1 current·1 all-time
byDmytro@dmytrotkk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (publish IoT data to SKALE via SmartClaws) matches what the skill asks for: python3 for example scripts, and curl/wget to download the smartclaws CLI. The included example scripts call the CLI as expected; nothing requests unrelated services or credentials.
Instruction Scope
SKILL.md stays on-topic: it instructs installing the CLI, initializing a wallet, registering devices, and writing publisher scripts. It asks the agent to confirm sensor model/connection before producing hardware-specific code. The scripts only access BLE (via bleak) or generate mock data and call the smartclaws CLI via subprocess — no instructions to read arbitrary system files or exfiltrate unrelated data.
Install Mechanism
There is no packaged install spec (instruction-only), but SKILL.md recommends downloading the smartclaws binary from the project's GitHub releases (https://github.com/skalenetwork/smartclaws/releases/latest/...). Using GitHub releases is reasonable, but downloading/executing a binary from the network carries standard supply-chain risk. Writing to /usr/local/bin may require root — the user should verify the release and checksum before installing.
Credentials
The skill declares no required environment variables or credentials. That is proportionate: operations (wallet creation, device registration) are handled by the smartclaws CLI and stored in ~/.smartclaws as the instructions describe. No excessive credential access was requested.
Persistence & Privilege
always is false and the skill is user-invocable (normal). The smartclaws CLI will create a local config/wallet at ~/.smartclaws and store keys there — expected for blockchain clients, but users should be aware these private keys are persisted locally and must be protected/backed up. The skill does not request system-wide configuration changes beyond installing the CLI.
Assessment
This skill appears to do what it claims: it helps install the SmartClaws CLI, create a wallet, register devices, and run publisher scripts (BLE or mock). Before installing or running anything:
- Verify the smartclaws GitHub repo and the release you download (check tags/release notes and ideally a checksum/signature) before running curl | install to /usr/local/bin.
- Installing to /usr/local/bin may require root; prefer ~/.local/bin if you cannot trust the binary or do not want system-wide installs.
- The smartclaws CLI will create a wallet and store private keys/config in ~/.smartclaws; protect these files (back them up or use a secure machine) and never publish private keys publicly.
- Funding the generated wallet (sFUEL) is required for registration/publishing; do not fund with valuable assets on an untrusted machine.
- Example scripts require Python dependencies (e.g., bleak for BLE). Review and audit any packages you pip-install.
- If you need stronger assurances, inspect the smartclaws CLI source code and releases or run it in a sandboxed environment before using on production hardware.
Overall there are no incoherent or unexplained requirements, but standard supply-chain and key-management precautions apply.Like a lobster shell, security has layers — review code before you run it.
latestvk973ss11mxvrrmmfta9991zcan84c2kr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📡 Clawdis
Binspython3
Any bincurl, wget