ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Crypto Scam Red Flags

v1.0.0

A scam-screening skill that reviews offers, messages, or influencer claims and points out concrete red flags. Use when the user receives a suspicious offer,...

0· 60·0 current·0 all-time
byhaidong@harrylabsj

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for harrylabsj/crypto-scam-red-flags.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Crypto Scam Red Flags" (harrylabsj/crypto-scam-red-flags) from ClawHub.
Skill page: https://clawhub.ai/harrylabsj/crypto-scam-red-flags
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install crypto-scam-red-flags

ClawHub CLI

Package manager switcher

npx clawhub@latest install crypto-scam-red-flags
Security Scan
Capability signals
CryptoRequires walletRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to be prompt-only and to work from pasted text; it does not need to access the local filesystem. Yet handler.py calls _load_skill_meta which opens /Users/jianghaidong/.openclaw/skills/{skill_name}/SKILL.md — a hard-coded user-home path. Reading arbitrary local files is not justified by the scam-screening purpose and is disproportionate.
!
Instruction Scope
SKILL.md describes a prompt-only workflow and does not instruct reading local files. The handler code contradicts that by attempting to read a SKILL.md from a specific local path. That is scope creep: the runtime behavior (file I/O) is not documented in the skill instructions.
Install Mechanism
There is no install spec and no downloads or external installers. No additional packages or network installs are requested, so the install mechanism itself is low-risk.
!
Credentials
The skill declares no required env vars or credentials (appropriate), but the code accesses a hard-coded filesystem path in the user's home. Access to local files was not declared and is not proportional to the stated purpose.
Persistence & Privilege
The skill is not always-enabled and does not request persistent privileges or modify other skills. Autonomous invocation is allowed by default (normal), and there is no evidence it writes system-wide config.
What to consider before installing
This skill's description and SKILL.md look appropriate for scam screening, but handler.py contains a hard-coded local file read of /Users/jianghaidong/.openclaw/skills/{skill_name}/SKILL.md which is unnecessary and inconsistent. Before installing or enabling autonomous invocation: (1) ask the author why the handler reads that path and request removal or replacement with a safe, relative/resource-based read, (2) review or run the handler.py in a sandbox to confirm it doesn't exfiltrate or read unexpected files, and (3) avoid installing it on systems with sensitive local data until the file-access behavior is corrected. If the author cannot justify or fix the hard-coded path, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk9786m4vd3hghwjfsd09enc3cn84wstf
60downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
haidong@harrylabsj
latest
Download

crypto-scam-red-flags

A scam-screening skill that reviews offers, messages, or influencer claims and points out concrete red flags.

Workflow

  1. Take the pasted message, offer text, DM, or campaign description.
  2. Look for urgency, guaranteed returns, impersonation, fake support behavior, secrecy, wallet-drain patterns, or emotional manipulation.
  3. Classify the situation: likely scam, suspicious, unclear, or low-obvious-risk.
  4. Explain why each red flag matters.
  5. Give the safest next step: do not click, verify independently, or walk away.

Output Format

  • Risk verdict
  • Red flags found
  • Why they matter
  • Safest next action
  • What not to share or sign

Quality Bar

  • Uses evidence from the supplied text, not vague fear.
  • Stays practical and protective.
  • Makes the user safer even when certainty is impossible.
  • Avoids false confidence like "100% safe."

Edge Cases

  • Some real promotions look spammy; say when independent verification is still needed.
  • Cannot inspect links, smart contracts, or domains in real time.

Compatibility

  • Best with pasted text or manually transcribed screenshot content.
  • Prompt-only, strong complement to wallet safety education.

Comments

Loading comments...