Clawhub Skills
v1.0.0Trade K-pop lightstick tokens on a bonding curve market using artist popularity, news trends, and price signals to guide buy and sell decisions.
⭐ 1· 1.5k·4 current·5 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The runtime instructions implement a 'K-Trendz Lightstick Trading' skill (endpoints, trading logic, token IDs) which is coherent for a trading integration; however the registry metadata (skill name 'Clawhub Skills', no description, no homepage, unknown source) does not match the SKILL.md content and provides little provenance. That mismatch reduces trust and should be resolved.
Instruction Scope
SKILL.md only calls a narrow set of POST endpoints to query price and perform buys/sells and includes example decision logic; it does not request reading local files. However it explicitly requires an API key (x-bot-api-key in headers) for all requests but the skill's declared requirements do not list that credential. The instructions also target a specific supabase-hosted base URL (jguylows...supabase.co), which is an external endpoint outside any well-known official domain — verify that endpoint ownership is legitimate. The skill can perform financial actions (buys/sells) so the exact text allowing automated execution is important.
Install Mechanism
Instruction-only skill with no install spec or code files; nothing is written to disk by an installer, which is lower risk. There are no third-party packages or downloads referenced.
Credentials
The skill needs an API key (x-bot-api-key) for requests, but requires.env and primary credential fields are empty in the registry metadata — this is an inconsistency. A trading API key is sensitive and should be explicitly declared, scoped, and limited. There is no guidance about key scope, expiry, or what the key authorizes (trading vs read-only).
Persistence & Privilege
The skill does not set disableModelInvocation and thus may be invoked autonomously by the model. Combined with the skill's ability to place buys/sells and the undeclared API credential, this creates a risk that the agent could perform financial transactions without clear user consent. always is not set, which is good, but the default model-invocable behavior should be verified/controlled.
What to consider before installing
Do not install or enable this skill until you confirm the missing provenance and credential handling. Specifically: (1) Ask the publisher to correct registry metadata (name/description/homepage) so it matches the SKILL.md and to prove ownership of the K-Trendz integration. (2) Require the skill to declare the required API key (and whether it is read-only or trading-capable) in requires.env (do not place sensitive keys in generic/shared envs). (3) Verify the base URL (jguylows...supabase.co) — confirm it's an official K-Trendz endpoint and served over TLS, and ask for an official domain if possible. (4) Restrict model autonomy: set disableModelInvocation: true or require explicit user invocation for any trade-affecting actions. (5) If you must test, use a scoped API key with minimal permissions, low daily limits, and an ability to revoke it quickly. (6) Because this skill can execute financial transactions, treat it as high-risk until provenance and credential handling are clarified.Like a lobster shell, security has layers — review code before you run it.
latestvk97c1z439sz8836ne16jefywvh80k36w
License
MIT-0
Free to use, modify, and redistribute. No attribution required.