ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Monad Wordle Skill

v1.0.0

Play a 5-letter Wordle game on the Monad blockchain using $WORDLE tokens. Start games, submit guesses, and retrieve game state via HTTP API.

0· 655·1 current·1 all-time
by@husseinrasti
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description (play Wordle on Monad using $WORDLE) matches the instructions' on‑chain workflows, but the skill's declared requirements (no env vars, no credentials) do not match the actual needs: SKILL.md expects a wallet private key and on‑chain token approvals and purchases. The absent declaration of required credentials is inconsistent and surprising.
!
Instruction Scope
Runtime instructions instruct the agent to read process.env.PRIVATE_KEY, create a wallet client, buy tokens on nad.fun, approve contract spending, sign/send transactions, and POST transaction hashes to an external API (https://wordle.nadnation.xyz). These actions involve sensitive keys and fund transfers; the SKILL.md does not limit or require explicit interactive user consent for transactions and does not document how to safely supply signing authority.
Install Mechanism
This is an instruction‑only skill with no install spec and no code files, so nothing is written to disk by an installer. That minimizes install‑time risk.
!
Credentials
The skill uses process.env.PRIVATE_KEY in examples (privateKeyToAccount) but the registry lists no required env vars or primary credential. Requesting a private key (or any signing key) is highly sensitive — it is proportionate for an on‑chain signing workflow only if declared explicitly and if safeguards are described. That declaration and safeguards are missing.
Persistence & Privilege
The skill does not request always:true or other elevated persistence flags; it is user‑invocable and can be invoked autonomously per platform defaults. No indications it modifies other skills or system settings.
What to consider before installing
This skill will need a wallet private key and will perform on‑chain purchases and approvals that spend real funds, but the registry metadata doesn't declare any required credentials — a mismatch that could expose your keys or money if you provision them blindly. Before installing: (1) Do NOT provide your main private key as an env var to unreviewed skills. Use a separate wallet with minimal funds or an account specifically for testing. (2) Verify the contract addresses and ABI links (the skill points to a GitHub ABI and specific addresses) and inspect the smart contract source yourself or on a block explorer. (3) Confirm the external API host (https://wordle.nadnation.xyz) is legitimate and review its privacy/security practices. (4) Prefer signing transactions with a hardware wallet or WalletConnect flow rather than injecting PRIVATE_KEY into environment variables. (5) Ask the publisher to update the skill metadata to declare required env vars (e.g., PRIVATE_KEY) and to provide explicit safety/consent steps; request code or a manifest so you can review exactly what actions the agent will take. If you cannot verify these points, treat the skill as risky and avoid supplying signing credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk9771kjcvvmxet95wc5nxw0b8s81330a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments