ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mpps Attestation

v1.3.0

Free attestation for agents. Hash your data, POST to api.mpps.io, get a signed receipt. 10 free/hour + 10 certified/day.

0· 85·0 current·0 all-time
by@gdlg-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the instructions: compute a SHA-256 hash locally and POST it to api.mpps.io. No credentials, installs, or unrelated capabilities are requested. The SKILL.md notes curl or any HTTP client is required; the registry metadata did not list curl as required but the skill provides both bash and python examples, so this is proportionate.
Instruction Scope
Instructions only compute a local hash and send it to api.mpps.io; they do not direct the agent to read unrelated files or secrets. However, hashing small or predictable secrets can leak identifiable information—SKILL.md warns to avoid hashing short secrets or to salt them. Users should ensure the agent won’t automatically attest sensitive plaintext without salting or user consent.
Install Mechanism
No install spec or code files — instruction-only skill. Lowest-risk distribution model (no downloads or executables written to disk).
Credentials
The skill requests no environment variables, credentials, or config paths. This is proportionate to its described network-only notarization function.
Persistence & Privilege
always:false and default autonomy settings means the agent can call the service autonomously (normal for skills). Consider whether you want the agent to be allowed to send attestations automatically, since network calls will transmit hashes to an external service.
Assessment
This skill appears to do only what it says: locally hash data and POST the hash to api.mpps.io for a signed receipt. Before installing, consider: (1) Do you want your agent to be able to send hashes to an external service automatically? If not, disable autonomous invocation or require user confirmation. (2) Never hash short or low-entropy secrets directly — salt or include additional context to avoid leakability. (3) Verify the service (https://mpps.io and the referenced GitHub repo) and its TLS endpoint, privacy policy, and claimed HSM/S3 guarantees if you depend on long-term legal/technical attestations. (4) Note the free usage limits (10 attestations/hour, 10 certified/day) and that network connectivity to api.mpps.io is required.

Like a lobster shell, security has layers — review code before you run it.

latestvk977x51j8twnq836b442nhn2gh8391r5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments