ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Create Aptos Project

v1.0.0

Scaffolds new Aptos projects using npx create-aptos-dapp. Supports fullstack (Vite or Next.js) and contract-only templates with network selection and optiona...

0· 98·0 current·0 all-time
by@iskysun96
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and instructions are consistent: the skill is an instruction-only scaffold helper for Aptos projects. Minor oddity: metadata claims author 'aptos-labs' and 'priority: critical' but source/homepage are unknown — provenance is unclear and could be impersonation.
!
Instruction Scope
The SKILL.md tells the agent to run npx create-aptos-dapp and aptos init, initialize git, and manipulate .env/.gitignore. That is within scaffolding scope, but npx will fetch and execute remote npm package code at runtime (remote code execution risk). The doc also references handling of sensitive data (publisher account keys in .env) but does not provide strong guidance for safe key storage beyond checking .gitignore; aptos init may generate keys that must not be exposed — the agent must not display or transmit them.
!
Install Mechanism
No install spec in the skill itself, but the runtime instructions rely on npx to pull and run create-aptos-dapp from npm. That implicitly causes a network download and execution of third-party code. The skill does not require or lock to a known package version or provide a trusted source URL, increasing risk.
Credentials
The skill declares no required env vars, which matches its instruction-only nature. However, the templates create an .env that may contain API keys and the publisher account (sensitive private keys). The skill properly warns to ensure .env is in .gitignore, but it does not instruct how to securely create/store the publisher key or prevent accidental exposure beyond that check.
Persistence & Privilege
Skill is instruction-only, has no install, does not request persistent privileges, and always=false. It does not modify other skills or system-wide configs.
What to consider before installing
This skill appears coherent for scaffolding Aptos projects, but take precautions before running its recommended commands: 1) npx create-aptos-dapp will download and execute code from npm — verify the package name, inspect the package contents (or prefer a specific, audited version) and the maintainer before running it; consider running the scaffold in an isolated environment or container. 2) Do not let the agent display or transmit private keys; aptos init may create keys — store them securely and never commit .env to git. 3) The skill metadata claims 'aptos-labs' but has no homepage/source: treat the author assertion as unverified. 4) Prefer to run scaffolding commands locally under your control (or inspect the npm package) rather than giving an agent the ability to execute them autonomously. If you need help verifying the npm package or modifying commands to use a pinned version or sandbox, ask before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cg4gq9x1jet6c1fk2hzqv8x8358fx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments