ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Breeze x402

v1.0.7

Operates Breeze x402 payment-gated endpoints for balance checks, deposits, and withdrawals on Solana. Use when the user asks to manage Breeze positions or ex...

0· 531·0 current·0 all-time
byKeegan Thompson@keeganthomp
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name and description match the instructions: the skill performs balance checks, builds deposit/withdrawal transactions, and pays x402 micropayments on Solana. Required binary (node) and WALLET_PRIVATE_KEY are appropriate for signing and broadcasting Solana transactions.
Instruction Scope
SKILL.md sticks to endpoint interaction, preparing/signing txs, and using a payment wrapper. It instructs writing a wallet backup file and a .env containing the private key (usual for local scripts but risky if committed). All network calls are to the Breeze x402 URL and Solana RPC; there are no instructions to read unrelated system files or exfiltrate arbitrary data. The guidance to persist the secret to disk is a usability choice that carries security risk.
Install Mechanism
No automated install spec is provided (instruction-only). The guide asks the user to run npm install of several packages from the public npm ecosystem; this is expected but carries the usual third-party package risk. There are no downloads from untrusted URLs or archived extracts in the skill itself.
Credentials
Only a single required credential is declared (WALLET_PRIVATE_KEY) which is proportional to the need to sign transactions and pay micropayments. Optional vars listed in README are reasonable. No unrelated credentials or config paths are requested.
Persistence & Privilege
Skill is instruction-only, not always-enabled, and doesn't request system-wide privilege or modify other skills. It suggests creating local files (.env, wallet-backup.json) but that is local persistence under user control.
Assessment
This skill appears to do what it says, but it requires your Solana private key and asks you to persist it locally — which is sensitive. Before installing/using: 1) Never put the wallet-backup.json or .env into version control; add them to .gitignore. 2) Prefer using an ephemeral or funded test wallet with minimal funds for initial testing instead of your main wallet. 3) Audit the npm packages (@faremeter/* and @solana/web3.js) and confirm they are the intended, official packages; consider inspecting their code or using a reproducible install in an isolated environment. 4) Verify network endpoints (https://x402.breeze.baby and Solana RPC) are correct and expected. 5) If possible, use signing that keeps private keys off disk (hardware wallets or an external signer) to reduce exposure. These precautions reduce the risk of accidental key leakage even though the skill itself is coherent with its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk97454jn0gsgfp3657y1421fd181fjnc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode
EnvWALLET_PRIVATE_KEY
Primary envWALLET_PRIVATE_KEY

Comments