ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

YYClaw

v1.0.0

Access and call 50+ AI models via YYClaw API with on-chain stablecoin payments; check balance, usage, models, and make API calls using one API key.

0· 101·0 current·0 all-time
by@geniustimee
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes a gateway that requires a YYCLAW_API_KEY to call models and check balance — this is consistent with the skill's description. However, the registry metadata lists no required environment variables or primary credential, which is an inconsistency (the skill clearly needs an API key).
Instruction Scope
The runtime instructions are narrowly scoped to interacting with https://crypto.yyclaw.cc: reading the YYCLAW_API_KEY, calling /v1/balance, /v1/usage, /v1/models, and /v1/chat/completions. The instructions do not request unrelated system files, secrets, or network exfiltration beyond the gateway endpoint.
Install Mechanism
No install spec or code files — instruction-only skill. Nothing is written to disk or downloaded by the skill itself, which minimizes install-time risk.
!
Credentials
The skill requires a single service API key (YYCLAW_API_KEY) and optionally YYCLAW_BASE_URL — both are proportionate to the described functionality. The concern is that the registry metadata does not declare this required credential, so users relying on metadata may not realize an API key (and therefore tokens/approval on-chain) will be used/sent to an external service.
Persistence & Privilege
always is false and the skill is user-invocable. There is no install behavior or configuration changes, so it does not request elevated persistence or system privileges.
What to consider before installing
This skill appears to do what it says (wrap YYClaw API calls), but note the registry metadata omission: SKILL.md requires YYCLAW_API_KEY (and optionally YYCLAW_BASE_URL) even though the manifest lists no env vars. Before installing: 1) Verify the service domain (https://crypto.yyclaw.cc) and its reputation and TLS certificate; 2) Be aware the skill will read YYCLAW_API_KEY from your environment and send it to that external endpoint — do not paste private keys or long-lived wallet keys into the agent/chat; 3) Because payments are on‑chain, prefer minimum/ephemeral allowances or low test balances and monitor on‑chain approvals/transactions; 4) Consider setting YYCLAW_BASE_URL only to a trusted endpoint (avoid overriding to untrusted URLs); 5) If you need higher assurance, ask the publisher for provenance (homepage, owner contact, audit) or request the registry metadata be updated to declare YYCLAW_API_KEY as a required credential. If you don’t trust the external payment/gateway provider, do not provide the API key.

Like a lobster shell, security has layers — review code before you run it.

latestvk9763b8ehwrjwg4x4fbq75y5g18356mb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments