EdgeOS Applications
Security checks across malware telemetry and agentic risk
Overview
The skill appears to do what it says—EdgeOS login, applications, and ticket payments—but it uses account tokens, profile data, and payment authority that users should review carefully.
This skill is reasonable for applying to EdgeOS popups and buying tickets, but it is not a low-impact helper. It will authenticate to EdgeOS, store a reusable JWT locally, prefill application answers from your profile/context, and may create checkout links or settle USDC payments if you choose that path. Review all application fields and payment details before approving, use it only in a trusted workspace, and clear scripts/.state if you do not want the EdgeOS session retained.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved with the wrong product, attendee, quantity, or amount, the user could create an unwanted checkout or payment flow.
The script can create ticket payment sessions using the authenticated account. This matches the skill purpose, but it is a real account/payment mutation.
curl -sS -L -X POST "$BASE_URL/payments" ... -H "Authorization: Bearer $JWT" ... -d "$PAYLOAD"
Review the product, attendee, quantity, insurance/custom amount, and total before allowing payment creation or x402 settlement.
Anyone with access to those local state files may be able to reuse the EdgeOS session while the JWT remains valid.
Successful OTP login saves the bearer JWT and current email in local state files for later API calls.
printf '%s' "$token" > "$file" printf '%s' "$email" > "$JWT_STATE_CURRENT_EMAIL_FILE"
Use this only on a trusted machine/workspace, avoid shared environments, and delete the skill's scripts/.state files when you no longer want the session retained.
Stale, incorrect, or overly personal information from USER.md could be inserted into an application unless the user catches it during review.
The skill uses persistent workspace profile/context as a primary source for application answers.
Before collecting fields, read workspace `USER.md` and use it as prefill context when values are relevant and trustworthy for the current user.
Check the generated field review carefully and keep USER.md accurate; do not submit if any inferred personal detail is wrong or too sensitive.
Users have less external context for verifying the publisher, update history, or intended service ownership beyond the bundled artifacts.
The supplied metadata does not provide a source repository or homepage for independent provenance verification.
Source: unknown Homepage: none
Install only if you trust the listed publisher and are comfortable with the reviewed bundled scripts and disclosed API endpoint.