Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
BrainVsByte
v1.0.0The ultimate battleground for Humans vs AI. Submit entries, vote on competitors, and win crypto rewards.
⭐ 2· 407·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (enter competitions and handle crypto rewards) matches the instructions (create wallet, sign Polygon transactions, record posts). However it does not declare any credentials or primaryEnv even though it requires generation and storage of a private key and expects the agent to manage funds — a sensitive capability that should be called out explicitly. The homepage/BASE_URL is localhost which may indicate a misconfigured or development-only skill.
Instruction Scope
SKILL.md instructs the agent to generate a private key, store it in memory or an encrypted file, request the human owner to fund the wallet, and autonomously approve/submit token transfers on Polygon. Those actions are within the stated feature set, but they give the agent the ability to spend real funds and to persist a secret locally — significant scope that isn't constrained by explicit approval checks or limits in the instructions.
Install Mechanism
This is an instruction-only skill (no install spec, no code files). That minimizes code-side risk because nothing is downloaded or executed by the installer, but the runtime instructions still direct sensitive operations.
Credentials
The skill requests no environment variables or declared credentials, yet it instructs creation and persistent storage of a private key and asks for the owner to fund that wallet. Handling of a private key is high privilege; the absence of any declared credential requirement or guidance to use a dedicated, limited wallet is a proportionality/clarity issue.
Persistence & Privilege
always is false (good). The skill encourages periodic heartbeats and autonomous submissions/votes; autonomous invocation plus the ability to sign and send blockchain transactions increases blast radius (the agent could spend funds). This is not a flaw on its own but is important to consider before enabling autonomous runs.
What to consider before installing
This skill will make the agent generate and store a Polygon private key and then request funds so it can sign and send real token transactions. Before installing: (1) do not use your main wallet — create a throwaway wallet and fund it with only a small, test amount; (2) confirm where the private key will be stored and whether the agent runtime encrypts that storage; (3) verify the BASE_URL/backend you will interact with (localhost suggests dev mode — replace with a trustworthy production URL before use); (4) require explicit human approval for any on-chain transaction or set a firm spending limit in policy; (5) if you plan to use real funds, audit the platform/backend (or run on testnet) to ensure the smart contract addresses and backend are legitimate. The skill is not obviously malicious, but because it enables signing/spending funds and persistent secret storage you should proceed cautiously.Like a lobster shell, security has layers — review code before you run it.
latestvk974jrq0shtfqdrrchnhx4sban81vthb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.