ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

RouteMesh Crypto RPC

v1.0.0

Call RouteMesh's unified JSON-RPC endpoint (lb.routeme.sh) for any EVM chainId using a helper script. Use when you need to fetch onchain data (eth_* methods), debug RPC responses, or demo RouteMesh routing for a chain/method.

0· 1.4k·1 current·1 all-time
by@kermankohli
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the declared primary credential and required Python binary; asking for ROUTEMESH_API_KEY and python is reasonable for an RPC helper. However, the skill's instructions assume a helper script at {baseDir}/scripts/routemesh_rpc.py, but no code files are present in the package—this is an inconsistency.
!
Instruction Scope
Instructions are narrow (how to POST JSON-RPC to lb.routeme.sh) and don't request unrelated files or env vars. But they instruct running a local helper script that does not exist in this skill bundle; that gap can cause confusion or require the agent/user to create/obtain an external script. The instructions also show the API key placed in the URL path (POST .../{apiKey}), which risks exposure via logs or referers; while the doc notes to keep the key out of logs, embedding in URLs is inherently more leak-prone.
Install Mechanism
No install spec (instruction-only) — lowest install risk. Nothing will be downloaded or written by the skill bundle itself.
Credentials
Only a single credential (ROUTEMESH_API_KEY) is declared as primary, which is proportional to an RPC service. Caution: the documented endpoint places the key in the URL path; this is a design choice of the upstream API but increases the chance of accidental exposure. No other unrelated secrets are requested.
Persistence & Privilege
Skill is not always-enabled and does not request persistent system-wide modifications. Normal autonomous invocation is allowed (platform default) but not escalated by this skill's metadata.
What to consider before installing
This skill's description and credential request are sensible for calling RouteMesh, but the package is incomplete: it references a helper script ({baseDir}/scripts/routemesh_rpc.py) that is not included. Before using/installing: verify the skill's source (routeme.sh) and obtain/review the actual helper script you will run. Prefer passing the API key via Authorization headers rather than embedding it in URLs if possible; if you must embed it, be aware URLs may be logged or leaked. Only provide ROUTEMESH_API_KEY if you trust the endpoint and rotate the key if you suspect exposure. If you cannot inspect the script beforehand, treat this skill as untrusted and avoid exposing high-privilege keys.

Like a lobster shell, security has layers — review code before you run it.

latestvk9779b33zncexm2kv8q5kq0csn80gfxh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Any binpython3, python
Primary envROUTEMESH_API_KEY

Comments