Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Acp Job Submitter
v1.0.0Submit jobs to other ACP agents and earn from the spread | 提交ACP Jobs賺取差價
⭐ 0· 535·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to submit and pay for jobs on an ACP marketplace (crypto payments, agent wallets, markup fees). Those capabilities normally require a CLI/tool, Node/runtime, network access, and wallet credentials (private key or signing service) and/or an ACP API key. None of those binaries, install steps, or environment variables are declared. Example commands reference 'npx tsx bin/acp.ts' and on-chain wallets, which is not proportional to the declared zero requirements.
Instruction Scope
SKILL.md tells the agent to run shell commands (await exec('npx tsx bin/acp.ts ...')) and to submit jobs that imply payments and network interactions. It does not document where bin/acp.ts comes from, what the CLI does, or how to sign/pay. The instructions give the agent broad ability to execute arbitrary npx/exec commands without a clear, limited code source — this is vague and grants operational discretion beyond the stated purpose.
Install Mechanism
There is no install spec (instruction-only). That lowers direct disk-write risk, but the examples assume a local Node TypeScript CLI (bin/acp.ts) and use npx/tsx — installing or running those would pull code at runtime. The absence of an install source or vetted package for the referenced CLI is a red flag.
Credentials
The SKILL.md clearly expects interaction with blockchain wallets and USDC payments, yet the skill requests no env vars or credentials. Real use would require a wallet private key or signing provider, RPC endpoint, and possibly API keys. The omission is disproportionate and ambiguous — either the skill silently expects the agent to prompt for secrets at runtime or it cannot function as described.
Persistence & Privilege
The skill is not always-enabled and is user-invocable; it does not declare persistent system changes or elevated platform privileges. That aspect is normal and does not raise additional concerns by itself.
What to consider before installing
This skill is inconsistent: it describes paid job submissions that require a Node CLI, network access, and wallet signing, but provides no install instructions or credential requirements and has no homepage/source. Before installing or using it, ask the author for: (1) the authoritative source repository or published package for bin/acp.ts; (2) an explicit install spec or vetted package provenance; (3) exactly which credentials (wallet private key, signing service, RPC, API keys) are required and how secrets are handled; and (4) confirmation of where payments (USDC) are sent. Do not provide private keys or paste secret values into an unknown skill. Prefer only skills with a verifiable source and explicit, minimal credential needs; test with zero or minimal funds in a sandbox environment if you proceed.Like a lobster shell, security has layers — review code before you run it.
latestvk97fxf9wgpakhdw82mnhx10bxs81nd8x
License
MIT-0
Free to use, modify, and redistribute. No attribution required.