ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

cesto-toolkit

v1.0.0

Complete toolkit for the Cesto platform — covers all APIs, basket creation, portfolio simulation, and market data. Use this skill whenever the user wants to...

0· 61·0 current·0 all-time
byLakshya Garg@lakshyagarg26
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description describe interacting with the Cesto platform and the bundled scripts call only backend.cesto.co endpoints, implement browsing, detail, analysis, simulation, and a login/publish flow. No unrelated cloud credentials, binaries, or external services are requested — capability and requirements are consistent.
Instruction Scope
SKILL.md instructs the agent to run bundled scripts (fetch_baskets, fetch_basket_detail, analyze_investment, and login flows). The login flow opens the user's browser and the scripts save session tokens locally; the SKILL.md claims the agent won't see tokens (scripts avoid printing tokens). This behavior is within scope, but the skill also registers many trigger phrases (broad automatic invocation) and a prompt-injection pattern was flagged in SKILL.md — both warrant caution.
Install Mechanism
Instruction-only install (no external installer). All code is bundled in the skill; there are no downloads from untrusted URLs or package installs. No files are created outside the skill's own directory except the session files under the user's home (~/.cesto) which are part of its intended function.
Credentials
The skill declares no required environment variables or external credentials, which matches its use of the platform backend. However, it stores authentication tokens under ~/.cesto (auth.json and session.dat). The session store uses a simple XOR + base85 obfuscation derived from username@hostname — not cryptographically strong encryption — so anyone with filesystem access could recover tokens. api_request enforces an allowlist to backend.cesto.co, which limits accidental exfiltration to other domains.
Persistence & Privilege
always:false (not force-included). The skill writes and updates files in ~/.cesto (session data and auth.json) and performs token refreshes. This is reasonable for a CLI-style login/session flow but does give the skill persistent local state and the ability to refresh/use stored credentials; users should accept writing credentials to their home directory before installing.
Scan Findings in Context
[ignore-previous-instructions] unexpected: A prompt-injection pattern was detected in SKILL.md content. This is not expected for a documented runtime flow and could indicate an attempt to influence model behavior or the evaluation. Review the SKILL.md source for any hidden or malicious instructions before trusting the skill.
What to consider before installing
This skill appears to implement the advertised Cesto API functionality and contains the expected login and API helper scripts, but exercise caution before installing: 1) The SKILL.md contained a prompt-injection pattern — inspect the raw SKILL.md for hidden instructions or suspicious text. 2) The skill stores authentication tokens under ~/.cesto using a weak obfuscation (XOR/base85 derived from username@hostname) — consider whether you're comfortable with tokens on disk and with the potential for local recovery. 3) api_request restricts network calls to backend.cesto.co, which is good, but confirm the backend URLs are correct and that you trust the skill's owner (owner ID is unknown). 4) If you proceed, run the skill in a sandboxed environment or on a machine/account where storing these tokens is acceptable, and consider auditing the code yourself or asking the publisher for provenance (signed release, homepage, or official source). If you need higher assurance, request a version of the skill from a verified source or with stronger local encryption for session tokens.
!
SKILL.md:478
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eafj2knnp7v0g0hqd2ch3wx83qfnm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments