ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

KibiBot Skill

v1.5.2

Create tokens on-chain, check fee earnings, check Kibi Credit balance, trigger agent credit reload, and interact with KibiBot's Agent API and Kibi LLM Gatewa...

0· 106·0 current·0 all-time
by@kibiagent
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (create tokens, check balances, trigger credit reloads, use Kibi LLM gateway) align with the SKILL.md and the referenced Agent API/LLM endpoints. The skill asks for an API key and to add Kibi as an LLM provider — both are expected for the described features.
Instruction Scope
Runtime instructions tell the user to edit their OpenClaw config (~/.openclaw/openclaw.json) to add Kibi as an LLM provider and to use the Kibi Agent API (api.kibi.bot) and LLM gateway (llm.kibi.bot). These instructions are in-scope for the skill, but they also enable the 'Agent Reload' action (agent-initiated credit top-ups from the user's trading wallet), which is a high-impact financial operation that the user must explicitly opt into.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is downloaded or written by an installer. This minimizes install-time risk; the skill relies on calling Kibi's APIs from the agent when invoked.
Credentials
The skill does not require platform secrets via requires.env, but it instructs users to place their kb_... API key into their agent config. That is appropriate for the API calls, however the optional 'reload_enabled' permission grants the agent authority to move funds (reload credits from the trading wallet). That permission is sensitive and should only be granted if you trust the service and the key; consider using a key without reload permissions for read-only tasks.
Persistence & Privilege
The skill asks you to modify your agent's persistent config to add Kibi as an LLM provider (a lasting change), but it is not force-included (always:false) and does not request elevated platform-wide privileges. Persistent configuration changes are expected for adding an LLM provider but you should back up config and review the change.
Assessment
This skill is internally consistent with its stated purpose, but contains actions that can affect your money and data flow. Before installing or configuring: - Only paste a kb_... API key you control; prefer a key scoped without 'reload_enabled' unless you explicitly want the agent to top up credits from your trading wallet. - If you enable Agent Reload, understand the agent can trigger POST /balance/credits/reload which moves funds; check daily limits and monitor transactions. - Back up ~/.openclaw/openclaw.json before editing and review the config you add (don't paste secrets into publicly shared files). - Consider limiting use of the Kibi LLM gateway for sensitive prompts, since queries and context will be sent to llm.kibi.bot and billed to your Kibi Credits. - The skill is instruction-only and references Kibi endpoints; the package origin in the registry metadata is not a known vendor homepage — verify the provider (kibi.bot) and the referenced GitHub repo before trusting the API key or enabling reloads.

Like a lobster shell, security has layers — review code before you run it.

latestvk9758t8t7gc76zr8sjs0v5pqjs83wad6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments