ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nodit Openapi Skill

v1.0.0

Operate Nodit Web3 Data API reads through UXC with a curated OpenAPI schema, API-key auth, and overlap-aware guardrails.

0· 120·1 current·1 all-time
by@jolestar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, SKILL.md, and embedded OpenAPI schema all consistently describe a read-only Nodit Web3 Data API integration (entity lookup, balances, transactions, token metadata/prices). That purpose reasonably explains the included files and instructions. However, the registry metadata lists no required environment variables while the runtime instructions explicitly require a Nodit API key (NODIT_API_KEY) and network access; this mismatch should be corrected.
Instruction Scope
SKILL.md stays within scope: it instructs the agent to use the 'uxc' tooling, create a credential binding using an API key header (X-API-KEY), link a fixed CLI wrapper, and perform only read operations. It does not instruct the agent to read unrelated system files or exfiltrate arbitrary data. The instructions do require network access to web3.nodit.io and raw.githubusercontent.com for the schema URL, which is consistent with the stated workflow.
Install Mechanism
There is no install spec (instruction-only), so nothing is automatically downloaded or written by the skill. That is low-risk. The repository includes a validation script (scripts/validate.sh) that requires jq and ripgrep (rg) if you run it locally; those are not runtime installs but are undeclared dependencies in the metadata.
!
Credentials
The SKILL.md explicitly requires a Nodit API key and shows commands that rely on an environment variable (NODIT_API_KEY) and uxc auth bindings. Yet the registry metadata declares no required env vars or primary credential. This is a meaningful inconsistency: the skill needs a secret (NODIT_API_KEY) to operate correctly but that requirement is not surfaced in the metadata. Users should not provide an API key until they verify the provider and intent.
Persistence & Privilege
The skill does not request always:true and does not include any install-time hooks or modifications to other skills. It describes use of an external CLI (uxc) and suggests creating a linked CLI alias, but nothing in the files indicates it will persistently modify other skill configs or force-enable itself.
What to consider before installing
This skill appears to be a straightforward read-only integration for the Nodit Web3 Data API, but take these precautions before installing or providing secrets: - Verify the source and origin: the skill's 'source' and homepage are unknown. Prefer skills published by known authors or official sources. - Do not supply your Nodit API key until you are comfortable with the author and repo. SKILL.md expects you to store a secret in NODIT_API_KEY and register it with uxc, but the skill metadata does not declare that requirement—confirm the credential name and binding before use. - Ensure you have uxc installed and understand what uxc auth bindings do; they can cause the CLI to attach credentials to matching hosts. - If you plan to run the included sanity script (scripts/validate.sh), note it requires jq and ripgrep (rg). Those are development-time checks, not runtime behavior, but they are undeclared in the registry metadata. - Network access to web3.nodit.io and raw.githubusercontent.com is required; be aware of where schemas and runtime calls go. If you still want to proceed: (1) inspect the OpenAPI schema (references/nodit-web3.openapi.json) to confirm endpoints; (2) add/confirm the NODIT_API_KEY requirement in your environment only after you verify the publisher; (3) consider running the validation script locally to confirm file integrity, and restrict the API key to the minimum scope permitted by Nodit (if possible).

Like a lobster shell, security has layers — review code before you run it.

latestvk9765y2er5zq38j6nh92c2rk21837zjw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments