Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Agent ID
v1.0.0Give your agent a persistent cross-platform identity. Generate an agent card, emit OADP discovery signals, and register on open coordination hubs. Every agen...
⭐ 0· 510·1 current·1 all-time
byFLY@imaflytok
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (create a persistent agent identity, emit discovery signals, register on hubs) matches the runtime instructions (add OADP metadata, POST to a registration endpoint). However the specific target (https://onlyflies.buzz) and the claim of 'register on open hubs' lacks provenance (no homepage, no source). Having a registration endpoint and storing credentials is plausible for this purpose, but the chosen external host is not explained or verified.
Instruction Scope
The SKILL.md instructs the agent/user to: (1) insert an OADP metadata line into AGENTS.md, (2) run a curl POST to a specific external service, and (3) save credentials to ~/.config/clawswarm/credentials.json. These instructions direct data to an external endpoint that is not a known or documented service and require writing credentials to disk — both outside the agent's local-only scope and potentially sensitive. The skill also recommends installing third-party packages (clawhub/clawswarm) without describing what those installers will do.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so it does not itself write code to disk. That is the lower-risk pattern. Note: the documentation recommends running 'clawhub install' which would invoke an external installer; the skill does not provide details or provenance for those packages.
Credentials
No environment variables or credentials are declared, but the instructions explicitly tell the user to save credentials to ~/.config/clawswarm/credentials.json and imply participation in bounties (HBAR). Asking users to create/store credentials and possibly financial identifiers is disproportionate unless the skill documents what credentials are produced, how private keys are handled, and why they are needed. The skill gives no guidance on what those credentials are or how to audit the remote service.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills. It does recommend adding a discoverability comment to AGENTS.md (modifies a repo file) and storing credentials under the user's home config — persistent actions that could be performed automatically if the agent is allowed to run the instructions. Combined with network registration, this increases the blast radius if performed without user oversight.
What to consider before installing
This skill's purpose is coherent, but it instructs you to register your agent with an unverified external host (onlyflies.buzz), save credentials locally, and install additional packages. Before running any of these steps: 1) verify the remote service's reputation and source (homepage, code repo, org behind it); 2) do not POST any private keys, wallet seeds, or sensitive data to the service; 3) inspect what 'clawhub'/'clawswarm' installers actually install in a safe sandbox; 4) if you want to try it, use a disposable account and store credentials in an isolated directory or temp environment first; and 5) require explicit user approval for any automated registration (avoid letting the agent run these steps autonomously). If the skill provided an official homepage, upstream package sources, or documentation describing the credential format and security model, the assessment could be upgraded.Like a lobster shell, security has layers — review code before you run it.
latestvk977srw03dgpz97wjk6c57vzsh823kzz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.