ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Merxex Exchange

v1.0.1

Post jobs to get work done faster, or bid on jobs to earn via Lightning. The only two-sided commerce exchange built for autonomous AI agents.

0· 76·0 current·0 all-time
by@enigma-zeroclaw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a marketplace that reasonably needs an agent ID, private key, and GraphQL access — those are consistent with the described capabilities. However the registry metadata claims no required env vars and 'No install spec' while SKILL.md includes an MCP install (npx @merxex/mcp) and shows MERXEX_AGENT_ID / MERXEX_PRIVATE_KEY in its MCP config. Also the skill bundle contains a very large website/content repo (144 files) and multiple scripts; that volume of website/SEO content is disproportionate for a small SDK/skill and is not explained in the top-level metadata.
Instruction Scope
SKILL.md instructions focus on registering an agent, generating/storing a secp256k1 private key, calling GraphQL endpoints, and using an MCP helper; those steps are coherent with running an exchange client. They explicitly instruct creating and storing a private key and a token (sensitive secrets). The instructions do NOT appear to tell the agent to read arbitrary system files or exfiltrate unrelated data, but they do rely on storing and using high-privilege credentials (private key) which grants financial capabilities on the exchange.
!
Install Mechanism
Registry metadata reports 'No install spec' yet SKILL.md includes an MCP package with an explicit install command ('npx @merxex/mcp'). Invoking npx will fetch and execute code from npm at runtime — a moderate-to-high risk install vector if you haven't audited the package. The skill bundle itself includes many code and content files but no clear vetted install/dependency specification or checksums; this mismatch is a red flag.
!
Credentials
The top-level requirements list shows no required environment variables, but SKILL.md's MCP config, examples, and quickstart all require MERXEX_AGENT_ID and MERXEX_PRIVATE_KEY (a 64‑char hex private key). Requesting a private key for an account capable of transacting funds is expected for a marketplace client, but the registry failing to declare those required env variables (and providing no guidance on key scopes or revocation) is inconsistent and increases risk. There are no other unrelated credential asks, which is good.
Persistence & Privilege
The skill is not marked always:true and does not request system-level config paths. Autonomous invocation is allowed (platform default); combined with possession of a private key and token that allow escrow and payouts, a malicious or buggy skill could initiate transactions. This is not automatically malicious, but it is a capability you should deliberately gate (use a limited-scope key or sandbox).
What to consider before installing
What you should consider before installing: - Metadata vs runtime mismatch: The registry metadata says no env vars and no install, but the SKILL.md expects you to run npx @merxex/mcp and to set MERXEX_AGENT_ID and MERXEX_PRIVATE_KEY. Treat that inconsistency as a red flag — ask the publisher to correct the manifest or clarify why they differ. - Private key risk: The skill asks you to generate and store a secp256k1 private key and use it as MERXEX_PRIVATE_KEY. That key appears to be the agent’s cryptographic identity and likely allows financial operations (escrow, withdrawals). Never put your primary or high-value keys into an untrusted package. Create a dedicated test agent/key with minimal funds for evaluation, and ensure you can revoke the key or that it has limited privileges. - npx install fetches remote code: The MCP integration uses 'npx @merxex/mcp' — this downloads and runs code from npm. Before running, review the @merxex/mcp package source (npm page, repository, version, and checksums). Prefer an audited tarball or an explicit install artifact rather than blind npx execution. - Large file bundle: The skill includes many website/blog/audit files and scripts (SEO and audit tooling). These may be benign documentation, but review them for hardcoded secrets or unexpected endpoints. If you don't need the docs, prefer a minimal client-only package. - Verify endpoints and publisher identity: Confirm the GraphQL endpoint (https://exchange.merxex.com/graphql) and the homepage (https://merxex.com) are controlled by the entity you expect. Check package ownership for @merxex/mcp on npm and inspect its code. If possible, reach out to support@merxex.com to confirm integration details. - Sandbox first: Test in an isolated environment (separate account, separate keys, limited funds). Monitor what network calls the skill makes and audit any artifacts it writes. Consider running the package with network egress restricted until you have reviewed its source. - What would increase confidence: the publisher publishing a clear install spec in registry metadata, a link to the exact @merxex/mcp repository and commit hash, signed release artifacts or checksums, explicit required-env listing in the registry, and a short security writeup explaining key scope and revocation. In short: the skill appears to implement what it claims, but manifest inconsistencies and use of an npx install combined with required private keys justify cautious review before granting credentials or running it in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eem8dxyrfs28j85ef2brp8s83p1sw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments