ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

jovay-interaction-skill

v1.0.0

Skill for interacting with Jovay or Ethereum network using jovay-cli

0· 94·0 current·0 all-time
by@jovay-developer·duplicate of @ryogawan/jovay-interaction
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires wallet
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is an instruction-only wrapper around the jovay-cli tool and correctly requires the 'jovay' binary. The SKILL.md even includes an npm install entry for @jovaylabs/jovay-cli which is appropriate for this purpose. Minor inconsistency: the registry metadata says 'No install spec' while SKILL.md contains an 'install' hint (npm); this is likely a documentation/packaging mismatch but does not change the intended capability.
Instruction Scope
Instructions stay within the scope of blockchain wallet/bridge/contract operations. However, the docs encourage providing private keys directly via CLI flags (e.g., --sk <private-key>), which exposes secrets to shell history and process listings. This is expected for a CLI wallet but is a sensitive operational detail the user must manage carefully.
Install Mechanism
No install spec is present in the registry (skill is instruction-only). The embedded SKILL.md metadata suggests installing @jovaylabs/jovay-cli via npm, which is a common and expected mechanism. Because there is no registry-level install spec, the agent will rely on an already-installed 'jovay' binary—verify the package source before installing globally.
Credentials
The skill requests no environment variables or unrelated credentials. All sensitive material referenced (private key, encryption password) are wallet credentials appropriate to the stated functionality. The quantity and kind of secrets implied are proportional to a blockchain CLI tool.
Persistence & Privilege
Skill does not request always-on presence and uses normal, user-invocable behavior. It does not ask to modify other skills or system-wide agent settings.
Assessment
This skill is coherent for running a Jovay/Ethereum CLI, but be cautious with private keys: avoid passing raw private keys on the command line (they appear in process lists and shell history). Prefer using encrypted wallets, environment-protected credential stores, or hardware wallets if supported. Before installing jovay-cli globally, verify the npm package name (@jovaylabs/jovay-cli), check its official documentation/repository, and review the package (or install locally) rather than blindly running global installs. Never paste private keys into chat or third-party tools. If you only need read-only operations, avoid configuring a private-key-backed wallet on systems you don't fully control.

Like a lobster shell, security has layers — review code before you run it.

latestvk9711sj2x4qtpd2x34khr4kj4x84g4y7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔧 Clawdis
Binsjovay

Comments