Ghost Protocol OpenClaw Pay

The skill bundle provides legitimate-looking tools for Ghost Protocol payments and escrow, but it possesses high-risk capabilities including handling a private key (GHOST_SIGNER_PRIVATE_KEY) for cryptographic signing and making external network requests. Specifically, bin/call-x402.mjs and bin/report-x402-settlement.mjs use the private key to sign transactions and authorization messages sent to ghostprotocol.cc and user-defined merchant endpoints. Furthermore, the documentation in README.md and INSTALL.md references a missing script (scripts/clawhub.ps1) described as applying a 'DNS shim,' which is an unusual and potentially risky networking behavior not fully explained in the provided source code.