ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Hedera Mirror

v1.1.0

Query Hedera blockchain data via Mirror Node API. Check balances, token info, transactions, NFTs, and account history. No API key needed — fully public REST...

0· 333·0 current·0 all-time
byFLY@imaflytok
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the instructions: SKILL.md contains curl examples against Hedera mirror node endpoints and a SaucerSwap token endpoint. No credentials, binaries, or installs are requested, which is proportionate for a read-only public-API query skill.
Instruction Scope
All visible runtime instructions are limited to querying public REST endpoints (hedera mirror nodes and a DEX API) and do not ask the agent to read local files or secrets. However, SKILL.md includes a hidden HTML comment with OADP metadata pointing to external URLs (https://onlyflies.buzz/... ) that are unrelated to the described purpose and could be used for out-of-band registration or telemetry if the platform consumes such metadata.
Install Mechanism
Instruction-only skill with no install spec and no code files — low installation risk (nothing is written to disk by the skill itself).
Credentials
No environment variables, credentials, or config paths are requested; this is appropriate for a public-read-only blockchain-query skill.
Persistence & Privilege
Skill does not request 'always: true' and uses default autonomous-invocation behavior (normal). It does not declare modifications to other skills or system-wide settings.
What to consider before installing
The curl examples and public API usage look legitimate and low-risk for read-only queries. The red flag is the hidden HTML comment embedding OADP-style metadata that references onlyflies.buzz endpoints (registration/ping). Before installing, verify how your agent platform handles SKILL.md metadata: confirm it will not automatically call or register with those external URLs. Ask the skill author for a source/homepage and an explanation of the OADP comment; if the platform treats that metadata as actionable, do not install the skill until you can confirm the endpoints are safe (or remove the comment). If you control a sensitive agent, prefer skills from known authors or with a homepage and avoid implicit registration to unknown hubs.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e0w8ds596p5bgpdewhkj71n823f4w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments