Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Bluepages
v1.0.2Look up wallet address <> Twitter/Farcaster identity mappings via Bluepages.fyi. Use when asked who owns a wallet, finding addresses for a Twitter/Farcaster...
⭐ 2· 1.1k·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to map wallet addresses to Twitter/Farcaster identities and all runtime instructions and API endpoints align with that purpose. However, the registry metadata lists both BLUEPAGES_API_KEY and PRIVATE_KEY as required env vars, while SKILL.md explicitly says you need one of them (API key recommended, private key optional for x402 payments). This inconsistency is unexpected and should be clarified.
Instruction Scope
SKILL.md restricts operations to calling bluepages.fyi (or running the bluepages MCP via npx) and describes the expected request/credit flow. It does not instruct reading unrelated local files or contacting other endpoints. However, it does instruct use of a PRIVATE_KEY for x402 payments — handling a private key is sensitive and expands the risk profile (signing payment requests). The doc warns not to use a main wallet key, which is good guidance but does not eliminate the sensitivity.
Install Mechanism
Installation is via a node package hosted on GitHub and the SKILL.md recommends running it with npx (npx -y github:bluepagesdoteth/bluepages-mcp). While GitHub is a common host, npx will fetch and execute remote code at runtime, which increases risk compared to instruction-only skills. This is proportionate for a client/server tool but users should audit the repository or run the package in a sandbox before trusting it.
Credentials
Requesting an API key (BLUEPAGES_API_KEY) is proportionate to the service. Requesting a PRIVATE_KEY (Ethereum private key) is explainable for on-chain x402 payments, but it is highly sensitive and should be optional. The registry metadata's requirement of both env vars is inconsistent with the SKILL.md's 'one of' statement and is a red flag — the skill should not demand unrelated credentials. Prefer an API key; if a private key is provided, restrict funds and use a throwaway agent wallet as recommended.
Persistence & Privilege
The skill does not request always: true, does not declare any special config paths, and relies on normal agent invocation. It does not request system-wide privileges or to modify other skills' configs. Default autonomous invocation is enabled (platform default) but is not combined with other excessive privileges here.
What to consider before installing
Before installing: 1) Clarify the env-var discrepancy — confirm whether the skill requires BOTH BLUEPAGES_API_KEY and PRIVATE_KEY or just one of them (SKILL.md says one of). 2) Prefer using BLUEPAGES_API_KEY (less sensitive); avoid giving your main Ethereum private key. If you must provide a PRIVATE_KEY, use a dedicated, minimally funded wallet and rotate it after use. 3) Because the install runs remote code via npx (github:bluepagesdoteth/bluepages-mcp), review the GitHub repo and its code (or run it in an isolated sandbox/container) before executing. 4) Be aware of per-request costs and rate limits described in the doc. 5) If you want stronger guarantees, ask the publisher for a signed release or a packaged artifact you can inspect, and consider restricting the skill's use (do not grant it broad autonomous actions) until you're comfortable.Like a lobster shell, security has layers — review code before you run it.
latestvk972vb9zdc09v3xfg52tx39bbs81cdwe
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📘 Clawdis
EnvBLUEPAGES_API_KEY, PRIVATE_KEY
Install
Node
npm i -g github:bluepagesdoteth/bluepages-mcp