ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

jovay-dapp-skill

v1.0.0

Full-stack dApp generation skill for Jovay blockchain — from requirements gathering to contract deployment and frontend debugging

0· 46·0 current·0 all-time
by@jovay-developer·duplicate of @ryogawan/jovay-dapp
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description and the declared required binaries (jovay, git, node, npx) align with a full-stack dApp generation and deployment workflow; asking to clone a template, run npm, compile, and deploy is coherent with the stated purpose.
!
Instruction Scope
The SKILL.md instructs the agent to initialize the Jovay CLI, check wallet balance, request airdrops, run build/test/deploy commands, and execute install scripts from the generated template. Those steps are within the skill's goal but the instructions also reference reading/writing project .jovay/.env and use environment variables for RPC URL and a deployer private key — actions that touch wallet/deployment secrets and execute code from a cloned template, which broadens scope and risk.
Install Mechanism
This is an instruction-only skill (no install spec in registry), but SKILL.md recommends installing @jovaylabs/jovay-cli via npm (-g). Recommending an npm global install is a reasonable approach for a CLI, but the registry did not include an enforced install spec and the package/source should be verified before installing.
!
Credentials
The registry lists no required env vars, yet the SKILL.md/hardhat snippet explicitly expects process.env.JOVAY_TESTNET_RPC_URL and process.env.DEPLOYER_PRIVATE_KEY and instructs wallet initialization. Requesting or using a deployer private key and RPC credentials is expected for deployment, but failing to declare these in metadata is an incoherence and increases the risk of unexpected secret access/exfiltration.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent presence or system-wide config changes. It may create a project-local .jovay/.env and run scripts inside the project — normal for a project generator.
What to consider before installing
This skill appears to do what it says (generate and deploy Jovay dApps), but it fails to declare that it requires deployment secrets. Before installing or running it: 1) verify the origin and authenticity of the @jovaylabs/jovay-cli package and the GitHub template it clones; 2) never expose your main account private key — use a throwaway/test deployer key with limited funds and rotate it afterward; 3) review the cloned template source and any install scripts (tools/install_deps.sh) before running them; 4) prefer setting DEPLOYER_PRIVATE_KEY and JOVAY_TESTNET_RPC_URL in a secure environment (not pasted into chat) and confirm the skill metadata is updated to declare these env vars; and 5) if you want stronger assurances, ask the publisher for a cryptographic package/source fingerprint or a public homepage before trusting the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b82a9n0sthaa5bdxq3re5zn84hr95

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🚀 Clawdis
Binsjovay, git, node, npx

Comments