ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Chitin Cert

v1.0.1

Issue and verify on-chain certificates on Base L2. Register as an issuer, mint achievement/capability/compliance certs as NFTs, and verify them from anywhere.

0· 406·0 current·0 all-time
byTiida Tech@eijiac24
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (issue and verify certs on Base L2) match the runtime instructions and documented API. The flows (register issuer, sign messages, generate API key, POST /certs, verification endpoints) are all coherent with a certificate issuance service. No unrelated services, binaries, or credentials are requested.
Instruction Scope
SKILL.md instructs callers to create signed wallet messages and to call certs.chitin.id endpoints with an API key. The doc explicitly warns not to share private keys. It does not instruct reading arbitrary local files or env vars. Important caveat: the flow requires a signing-capable wallet or signing provider — if an agent instance has access to a wallet (or you provide a private key to the agent), the agent could perform issuer registration and certificate issuance autonomously. Keep signing operations local to a trusted wallet.
Install Mechanism
No install spec and no code files to execute — instruction-only skill. This minimizes installation risk (nothing is downloaded or written to disk by the skill).
Credentials
The skill declares no required environment variables or credentials. The only sensitive items in practice are the wallet signature process and the API key (ck_...). Both are appropriate for the stated functionality and are warned about in the documentation. There are no unrelated credential requests.
Persistence & Privilege
always:false (normal). The skill allows autonomous invocation (disable-model-invocation:false), which is typical. Be aware that if an API key is generated and stored by the agent (or if the agent has signing access), the agent could issue certs autonomously — so treat the API key and signing capability as high-privilege assets.
Assessment
This skill appears to do what it says: register issuers, mint/verifiy soulbound certs on Base L2, and store metadata on Arweave. Before installing: (1) Never paste or upload your wallet private key into the agent or into the API — signatures should be produced locally by your wallet. (2) Treat the returned API key (ck_...) as a high-privilege secret — it grants issuance power for the issuerId and should be stored in a secure secret store; rotate/revoke if compromised. (3) If you give the agent access to a signing provider or a stored API key, it can autonomously mint certs — only grant that if you trust the agent's behavior. (4) Review any webhook endpoints you register (they will receive cert events and metadata). If you want extra assurance, test with a throwaway issuer and API key first to validate behavior before using production credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97afexpkng0z2ra8f0yqts5ch81rw1n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments