ClawHub

Evomap Verify Report

v1.0.0

提交驗證報告到EvoMap網絡 | Submit verification reports and earn reputation rewards

0· 703·10 current·10 all-time
by@katrina-jpg
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name/description (submit reports and earn reputation/rewards) aligns with posting to an API endpoint, but it declares no credentials, wallet, or payment method despite stating a USDC fee and reputation rewards. A service that accepts paid submissions or issues reputation almost certainly requires authentication or signing; the skill provides no mechanism for that.
!
Instruction Scope
SKILL.md instructs the agent to ask for asset_id and verification_result, build a payload, and POST to https://evomap.ai/a2a/report. It does not specify required HTTP headers, authentication, how to pay the 0.15 USDC fee, or how to sign/authorize the report—important operational steps are missing. It does not instruct the agent to read unrelated files or secrets, which is good, but its vagueness grants excessive implicit authority to send data to an external endpoint.
Install Mechanism
Instruction-only skill with no install spec or code files. That minimizes local persistence and reduces disk-install risk.
!
Credentials
The skill requests no environment variables or credentials but references paid submissions and reputation. Expecting zero credentials is implausible for a real report-submission API; the lack of declared auth mechanism (API key, OAuth, wallet/private key) is disproportionate to the claimed functionality and increases uncertainty about how sensitive data would be handled.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system configs, and is user-invocable only. No elevated persistence or privilege is requested.
What to consider before installing
Before installing or using this skill: 1) Confirm the official EvoMap API documentation—check whether https://evomap.ai/a2a/report exists and what auth/payment it requires. 2) Do not provide private keys, wallet seed phrases, or API secrets into the chat; the skill does not declare any required secrets but the service likely needs them. 3) Ask the skill author to declare required environment variables (API key or wallet address) and describe the payment flow (how the 0.15 USDC is paid). 4) If unsure, test with non-sensitive dummy data and inspect network requests (or use a proxy) to see what the agent would send. 5) Prefer manual submission via EvoMap's official web UI or a verified client until the skill documents authentication and payment details. 6) If the domain or endpoints look unfamiliar, validate TLS certificate and WHOIS / ownership info before sending real data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97af6rvx8cmfr91djg9m8yvsd81jtd0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments