Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Smoothsend Gasless
v1.0.0How to sponsor gas fees for Aptos dApp users using SmoothSend. Paid commercial service: free on testnet, credit-based on mainnet. Covers 3-line wallet adapte...
⭐ 0· 134·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md content matches the stated purpose (how to sponsor Aptos gas using SmoothSend) and the recommended dependencies (@smoothsend/sdk, Aptos wallet adapter) are appropriate. However, the registry metadata declares no required env vars while the instructions clearly require an API key (NEXT_PUBLIC_SMOOTHSEND_API_KEY or VITE_SMOOTHSEND_API_KEY), which is an inconsistency.
Instruction Scope
Instructions are focused on integrating SmoothSend (provider setup, Script Composer, error handling). They explicitly tell developers to store an API key in env vars and to handle 402 errors. A notable instruction-level risk: the guidance recommends client-prefixed env vars (NEXT_PUBLIC_/VITE_) which will expose the API key to browsers — the doc warns not to expose server-only keys but doesn't clearly explain the security implications or alternatives (server-side proxy, scoped keys). The skill also suggests running an npx tool (npx @smoothsend/mcp) — benign for documentation but not declared in metadata.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes direct install risk. It references installing npm packages (@smoothsend/sdk and wallet adapter) but does not attempt to fetch arbitrary archives or run installers on behalf of the user.
Credentials
The skill metadata lists no required environment variables, yet the runtime instructions mandate an API key (NEXT_PUBLIC_SMOOTHSEND_API_KEY or VITE_SMOOTHSEND_API_KEY). Requesting an API key is reasonable for this integration, but using NEXT_PUBLIC_/VITE_ implies the key will be shipped to clients; the docs do not justify the key's intended exposure model, nor do they discuss scopes, revocation, or a server-side alternative. This mismatch between declared requirements and instructions is a proportionality and transparency concern.
Persistence & Privilege
The skill does not request persistent installation privileges (always is false), does not modify other skills or system configs, and has no declared config paths. There is no evidence it requests elevated runtime privileges.
What to consider before installing
This SKILL.md appears to be a legitimate integration guide for SmoothSend, but note two things before you rely on or install it: (1) the registry metadata does not declare the API key it actually requires — the guide expects NEXT_PUBLIC_SMOOTHSEND_API_KEY or VITE_SMOOTHSEND_API_KEY. Confirm whether that key is meant to be public (client-visible) or private; if it is sensitive, prefer a server-side proxy or a scoped key mechanism. (2) Exposing an API key in client-side env vars can allow anyone to use your SmoothSend credits unless the provider issues client-scoped, rate-limited keys — check SmoothSend docs and dashboard for key scopes, revocation, and billing controls. Additional checks: verify the @smoothsend/sdk package and any CLI tools (npx @smoothsend/mcp) come from the official SmoothSend npm/org, test everything on testnet first (it's free), and set up billing/alerting to detect unexpected credit usage.Like a lobster shell, security has layers — review code before you run it.
latestvk971e16qj0058aawtxph4rfntd834h2n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.