ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Blocknative Openapi Skill

v1.0.0

Operate Blocknative gas intelligence APIs through UXC with a curated OpenAPI schema, API-key auth, and read-first guardrails.

0· 123·1 current·1 all-time
by@jolestar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md, and included OpenAPI schema all align: the skill implements read-only Blocknative gas endpoints via uxc. Requiring uxc in PATH and network access to api.blocknative.com is proportional. However, the registry metadata lists no required env vars or primary credential while the instructions explicitly require a BLOCKNATIVE_API_KEY; that mismatch is unexpected.
Instruction Scope
Runtime instructions are scoped to read-only operations, include guardrails (polling rate, JSON output, do not send transactions), and only direct the agent to use uxc, the included OpenAPI schema, and Blocknative endpoints. Instructions do not attempt to read unrelated files, system secrets, or send data to unexpected endpoints.
Install Mechanism
No install spec (instruction-only) and included files are static (schema, docs, small validation script). This is low-risk: nothing is downloaded or written by an automated installer.
!
Credentials
SKILL.md instructs binding an API key via a secret environment variable (BLOCKNATIVE_API_KEY) and configuring it in uxc, but the skill registry metadata declares no required env vars or primary credential. The skill does request a sensitive secret (API key) in practice; the omission from metadata is a coherence and transparency problem and could hide the true credential surface to a user or automated checks.
Persistence & Privilege
always:false and default autonomous invocation settings are normal. The skill does not request permanent presence or modify other skills/system-wide settings. The included validate.sh is a local check script and does not alter system state beyond failing when expectations are unmet.
What to consider before installing
This skill appears functionally coherent (read-only Blocknative API access via uxc) but the SKILL.md requires a BLOCKNATIVE_API_KEY while the registry metadata does not declare that credential. Before installing: 1) Confirm you trust uxc and that it will store/handle your BLOCKNATIVE_API_KEY securely. 2) Ask the publisher to update the registry metadata to declare the required secret so automated checks can surface it. 3) Run the included scripts/validate.sh locally to verify files and expectations (it requires jq and rg). 4) Verify the OpenAPI schema and the referenced endpoints match Blocknative's official docs and that you only grant a read-only key with minimal scope. If you cannot verify the credential handling or metadata, treat the omission as a red flag and avoid installing until clarified.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d4gwj7gyb5x0wj385239gm5837pyy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments