Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Agent Store
v1.0.2Use when the user wants to buy, purchase, order, pay for, or top up API keys or API credits.
⭐ 0· 18·0 current·0 all-time
by@levey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Requiring python3 and awp-wallet and the contained store.py is coherent with a crypto-based purchase flow for API credits/keys. However the skill also includes 'vps_instance' as a product type and — more importantly — its runtime instructions require updating the agent's provider configuration to point at the purchased provider, which goes beyond a simple purchase helper.
Instruction Scope
SKILL.md explicitly instructs the agent to open and modify its runtime configuration (adding models.providers.agent-store, setting base_url and API key, replacing provider models, changing the active model for the agent, verifying the gateway, and starting a new session). These steps touch agent configuration and change future agent behavior and network endpoints; they are outside the narrow scope of only 'buying' credits and could redirect the agent to untrusted endpoints.
Install Mechanism
There is no install spec and no external downloads; the script is bundled with the skill and executed via python3. This minimizes install-time risk (nothing is fetched from arbitrary URLs).
Credentials
The registry metadata lists no required env vars, but the script and SKILL.md reference API_HOST, X402_BASE_RPC_URL, and local facilitator config paths. The skill depends on awp-wallet and performs signing/approve/allowance operations — which imply access to local wallet keys/funds. The SKILL.md also directs writing purchased API keys into the agent runtime config (storing credentials). Requesting the agent to store and adopt a newly purchased API key is a high‑privilege action and is not represented as declared required credentials.
Persistence & Privilege
always is false, but the skill's instructions ask the agent to modify its runtime configuration and change its active model to the purchased provider and to start a new session. That grants the skill (when used) the ability to change persistent agent behavior and to redirect future requests to an external provider — a meaningful privilege that should require explicit user consent and vetting.
What to consider before installing
This skill can perform legitimate purchases via a wallet CLI, but it also asks the agent to write the purchased API key and provider settings into its runtime config and switch to the purchased model automatically. Before installing or running: (1) review the full scripts/store.py code yourself (or have someone you trust do so) to confirm network endpoints and signing actions; (2) do not allow the agent to automatically modify its global runtime config — instead perform the config update manually after verifying the provider; (3) ensure awp-wallet and any wallet used are understood and funded only as intended (approvals/signatures can spend funds); (4) back up your runtime configuration before any automated edits; and (5) prefer to purchase credentials manually via the service website or a trusted UI and then paste the key into the agent rather than letting the skill auto-adopt a new provider.Like a lobster shell, security has layers — review code before you run it.
latestvk973mm73tq7j95wdg6ft14ez9s84cnfa
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🛒 Clawdis
Binspython3, awp-wallet