ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

XRPL Token Sniping

v1.0.0

Monitor XRPL for new token launches, verify issuer flags for safety, and execute fast token buys while managing XRP reserves to minimize risk.

0· 545·0 current·0 all-time
by@harleyscodes
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to detect new XRPL tokens and buy them, and the SKILL.md contains code examples that implement subscribing to transactions and submitting Payment transactions. That overall purpose matches the content. However, the skill does not declare required dependencies (it uses require('xrpl') in examples) or any credential/environment requirements despite needing a wallet/private key to submit transactions, which is a proportionality mismatch.
!
Instruction Scope
Instructions tell an agent to subscribe to a WebSocket, parse transactions, and execute immediate buys (front-running). The guidance references a 'wallet' and submitting transactions but gives no secure method for supplying or protecting private keys. Some guidance is inconsistent or inaccurate for XRPL (e.g., mixing 'contract ownership renounced' language, inconsistent guidance about lsfRequireAuth vs. skip logic). The endpoints in examples differ (xlrps-1.xrpl.link vs xrplcluster.com), which is ambiguous and could cause the agent to contact unexpected servers.
Install Mechanism
This is instruction-only (no install spec), which reduces direct install risk. But the examples assume the 'xrpl' Node library and WebSocket connectivity; the skill does not document installing that dependency. Also the skill directs traffic to third-party endpoints (unknown domains), which is a network-supply risk even without an install step.
!
Credentials
No environment variables or primary credential are declared, yet the runtime examples require a wallet (private key) to sign/submit transactions. There is no guidance on where that key comes from or how it should be stored, which is a security hygiene problem: submitting transactions requires sensitive credentials but the skill doesn't declare or protect them. The skill also references external endpoints of unclear trustworthiness.
Persistence & Privilege
always is false and there is no install or code that requests persistent elevated privileges or modifies other skills/config. The skill does not request persistent presence or platform-wide changes.
What to consider before installing
This skill is coherent in intent (monitor XRPL and buy new tokens) but contains unclear and inconsistent instructions that raise safety concerns. Before using it you should: (1) verify the identity and reputation of the endpoints (xlrps-1.xrpl.link, xrplcluster.com) — do not use unknown hosts for private-key operations; (2) require the author to explicitly state dependencies and an install procedure (e.g., npm install xrpl) and provide secure key-handling instructions (use a vault, never paste private keys into chat or plain files); (3) ask the author to fix inconsistent flag logic and XRPL terminology and to explain how transaction signing and submitting is done securely; (4) test any code in a sandbox or on testnet with a throwaway wallet and minimal funds first; and (5) prefer skills that publish source, a homepage, and a verifiable owner identity. If you cannot confirm endpoints and private-key handling, do not run it with real funds.

Like a lobster shell, security has layers — review code before you run it.

latestvk971w7rpe40a6yb2b9zk46ckdx815cge

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments