Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Deed
v1.0.0The Sovereign Asset Title & Ownership Protocol. A high-fidelity cognitive framework for the immutable registration, verification, and transfer of real-world...
⭐ 0· 303·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description promises ingestion of land registries, satellite imagery, smart-contract history, UCC filings, and automated issuance of deeds/arbitration. Yet the skill declares no required binaries, no env vars, no config paths, and no install — operations that legitimately require API keys, service endpoints, or tooling. The requested footprint is disproportionate (either the skill is incomplete or it expects the agent to use unrelated ambient credentials).
Instruction Scope
SKILL.md instructs the agent to ingest external data sources, perform legal analysis across jurisdictions, and 'orchestrate' issuance and dispute resolution. The instructions are high-level and give the agent broad, undefined license to access data and take actions that could have legal/financial effects, with no human approval checkpoints or concrete boundaries.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which reduces the immediate attack surface (nothing is written to disk). However, the lack of an install or integration spec contributes to incoherence with the claimed capabilities.
Credentials
No environment variables, credentials, or config paths are declared despite the skill's need to interact with external registries, imagery providers, blockchain nodes, or filing services. This absence is suspicious: a legitimate integration would declare the specific credentials it needs or at minimum document expected external endpoints and auth models.
Persistence & Privilege
always is false and the skill does not request persistent/system-level privileges. However, the skill's autonomous-invocation-capable instructions (self-executing arbitration, 'orchestrating' filings) imply potentially impactful actions; without explicit human approval steps, autonomous invocation could be dangerous. This is a usability/authorization gap rather than a direct misconfiguration.
What to consider before installing
This skill is conceptually ambitious but incomplete. It promises automated, legally consequential operations (title verification, filings, arbitration) yet provides no concrete integration points, no required credentials, and no controls (e.g., human sign-off, audit logging). Before installing or enabling this skill: 1) Ask the author for concrete integration details — which registries, APIs, and providers will be used, and exactly which environment variables or credentials are required. 2) Require explicit human-in-the-loop approval for any filing or legal action and demand an audit trail for all agent decisions. 3) Do not grant any government, banking, cloud, or blockchain keys to the agent until you have code and a security/privacy review. 4) If you plan to use it for real legal transfers, get legal counsel and insist on verifiable provenance for data sources. The current mismatch between claims and declared requirements is the main risk; more technical detail or a narrow, documented scope would be required to move this assessment toward benign.Like a lobster shell, security has layers — review code before you run it.
assetvk97d0rdpghken49ah9eyf2qdzh82g5xtdeedvk97d0rdpghken49ah9eyf2qdzh82g5xtlatestvk97d0rdpghken49ah9eyf2qdzh82g5xtlegalvk97d0rdpghken49ah9eyf2qdzh82g5xtownershipvk97d0rdpghken49ah9eyf2qdzh82g5xtrealestatevk97d0rdpghken49ah9eyf2qdzh82g5xt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.