ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

W3connect

v0.3.0

Access ETH wallet address and securely send ETH or USDC on Ethereum or Base chains with 2FA authentication code verification.

4· 709·0 current·0 all-time
byKJ@kernel1983
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (access address and send ETH/USDC with 2FA) matches the instructions: all actions are HTTP calls to a local wallet API (127.0.0.1:5333) for address, send, and pay-to-email. There are no unrelated credentials or external services requested.
Instruction Scope
All runtime instructions tell the agent to call local endpoints (GET /address, /send, /pay2email). That is coherent with a local signing service, but it means the agent will directly trigger on-chain transactions if given a valid 2FA code. The SKILL.md also says 'do not ask the user to execute the curl' (the agent should call the local API). There is no instruction to read unrelated files or environment variables.
Install Mechanism
No install spec or code is included (instruction-only), so nothing is written to disk. This is the lowest-risk install mechanism. Minor inconsistency: SKILL.md includes metadata claiming python and pip in a 'nanobot' requires field, but the registry lists no required binaries.
Credentials
The skill declares no required environment variables or credentials, which is appropriate. It relies on the user-supplied 6-digit authenticator code (passed as a parameter) rather than persistent secrets. No unrelated secrets or config paths are requested.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system settings, and has no install-time persistence. The agent is allowed to invoke it autonomously by default, which is normal.
Assessment
This skill expects a local wallet/signing service listening on http://127.0.0.1:5333 (web3b0x or similar). If you do not have that service running, the calls will fail. If you do run such a service, the agent will be able to call it and submit real transactions when given a valid 2FA code — only provide one-time codes when you intend to authorize a transfer. Ask the skill author for the service's expected binary/software and documentation (there's no homepage or source listed). Note the small inconsistency in SKILL.md metadata claiming python/pip are required; confirm whether any local components or installs are necessary before use. Finally, treat this as powerful: verify the local service code and network exposure (ensure it truly binds to localhost and is from a trusted source) before allowing the agent to perform payments.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c1bkzzcanr7e5rgvvfwbvp181wqsy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments