ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

cetus

v1.0.0

Provides TypeScript SDKs for building DeFi apps on Sui with Cetus Protocol components like AMMs, vaults, farms, limit orders, xCETUS token, and aggregation.

0· 838·0 current·0 all-time
byk66 (Lana Chen)@k66inthesky
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill name and provided SKILL.md are documentation for the Cetus Protocol SDKs (CLMM, DLMM, Vaults, Farms, etc.). There are no declared env vars, binaries, or unrelated requirements. The content (npm package names, initialization examples, API calls) matches the claimed purpose.
Instruction Scope
SKILL.md contains API reference, npm install commands, and code examples for using the SDKs. It does not instruct the agent to read local system files, exfiltrate data, contact unexpected endpoints, or access secrets. Some examples show building transaction payloads and setting a sender address (placeholder values), which is expected for an SDK doc; the skill does not request private keys or instruct signing/execution itself.
Install Mechanism
No install specification or code files are included — this is instruction-only. That is the lowest-risk install model (nothing is written to disk by the skill itself).
Credentials
The skill declares no environment variables or credentials. Examples reference Sui wallet addresses but do not require or request private keys or tokens. This is proportionate for an SDK documentation skill.
Persistence & Privilege
The skill is not marked always:true and has no install actions or configuration writes. It does not request persistent system presence or modification of other skills/configs.
Assessment
This skill is a documentation bundle for the Cetus Protocol SDKs and appears internally consistent. Before you use it or run the example code: 1) Verify the upstream source (the README points to https://github.com/k66inthesky/cetus) and confirm package names/versions on npm/GitHub to avoid typosquatting. 2) When you run example npm installs, pin versions and inspect package release pages and dependencies; review any postinstall scripts. 3) The examples include creating transaction payloads and setting sender addresses — do not paste private keys into untrusted prompts or environments; use testnet and a throwaway wallet when experimenting. 4) Because the skill is documentation-only, it won’t itself fetch code or run commands, but following its examples will cause npm/network activity on your machine — treat those like any third-party package install. If you want higher assurance, fetch the referenced SDK repos directly from their official sources and audit them before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk974gtrk09k363q0ayy9e96799810xgm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments