ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

KibiBot

v1.0.1

Create tokens on-chain, check fee earnings, check Kibi Credit balance, trigger agent credit reload, and interact with KibiBot's Agent API and Kibi LLM Gatewa...

0· 42·0 current·0 all-time
byKibu@kibubot
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The described capabilities (create tokens on‑chain; reload credits from a trading wallet; check earnings across chains) normally require wallet/private‑key access or exchange API credentials. The skill declares no required credentials or config paths, which is inconsistent with those capabilities.
!
Instruction Scope
SKILL.md instructs users to edit a local OpenClaw config (~/.openclaw/openclaw.json) and to enable an 'Agent Reload' feature that tops up Kibi Credits from a trading wallet. Those are operations touching user config and funds, but the document does not explain how wallet authorization works or what secrets will be needed or stored.
!
Install Mechanism
The registry shows no install spec and no code files, yet SKILL.md contains an 'Install' line pointing at a GitHub repo. This mismatch (no declared install but an installation URL in docs) is incoherent and should be clarified.
!
Credentials
The skill declares no required environment variables or config paths, but the instructions require inserting an API key (kb_...) and editing ~/.openclaw/openclaw.json. It also discusses automatic wallet top‑ups without describing what wallet credentials or API permissions are required — the requested access is not proportional or documented.
Persistence & Privilege
The skill does not request 'always: true' and defaults allow user invocation and autonomous use; that is the platform default and not itself an elevated privilege.
What to consider before installing
Do not install or hand over secrets yet. Ask the skill author to explain: (1) exactly how on‑chain token creation works and whether it requires your private keys, exchange API keys, or only a Kibi API key; (2) what permissions 'Agent Reload' needs to top up credits and how wallet access/approval is granted and revoked; (3) where credentials are stored and whether anything writes to ~/.openclaw/openclaw.json or other local files; and (4) provide a real install spec or a link to a reputable GitHub release. If you proceed, prefer read‑only API keys, test in a sandbox account, review the openclaw.json changes before saving, and be ready to revoke the Kibi API key and any wallet/exchange keys if unexpected transactions appear.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a49x798q3tqj13rrjfw7zm583rfn7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments