ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Spine's Underground

v1.1.0

Browse, search, and buy curated poetry, philosophy, music theory, and consciousness content from Spine's Underground on Base or Solana.

0· 54·0 current·0 all-time
byLisa Maraventano@lisamaraventano-spine
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to let users browse and purchase content on Base/Solana using USDC, but the SKILL.md lists no required credentials or wallet integration. Purchasing on-chain normally requires signing with a wallet or providing a payment authorizer; that need is not declared. The SKILL.md also references an npm package (@underground-cultural-district/spines-underground) which is not included in an install spec or pinned — asking to run arbitrary third-party code to accomplish purchases is disproportionate and unexplained.
!
Instruction Scope
The runtime instructions include a concrete mcpServers entry that runs `npx @underground-cultural-district/spines-underground`. That tells the agent to fetch and execute code from the npm registry at runtime. There are no instructions about how wallet signing occurs, what data is sent to spine.substratesymposium.com, or whether the agent must ask the user for approval/signature. The guidance is vague and grants broad discretion to execute remote code and perform payments without specifying safeguards.
!
Install Mechanism
There is no declared install spec, yet SKILL.md instructs using npx to run an npm package. npx will download and run code from the npm registry (potentially latest/unverified). No package version pinning, no checksum, and no source repository or trusted release URL are provided — this is a higher-risk install pattern because it executes remote code with no provenance.
!
Credentials
The skill lists no required environment variables or primary credential, but the described buying flow (USDC payments on Base/Solana) would normally require wallet credentials, a signing method, or at least an OAuth/connect flow. Absence of declared keys or wallet integration is incoherent and may hide where signing occurs (e.g., the remote package could prompt for or request private keys).
Persistence & Privilege
The skill is not always-on and uses default autonomous invocation settings. There is no indication it modifies other skills or requests persistent system-wide privileges. However, autonomous invocation combined with executing remote npm code increases blast radius; consider disabling autonomous invocation until code is reviewed.
What to consider before installing
Before installing or enabling this skill, get answers and make changes: 1) Ask the publisher for the package source repository (GitHub) and a pinned package version (not just npx latest); review the package code and release provenance. 2) Clarify how payments are signed: will the agent prompt the user for wallet signature via a secure connector (recommended), or will it require a private key/env var? Never provide private keys to an unvetted skill. 3) Require HTTPS endpoints and confirm spine.substratesymposium.com is the legitimate API owner; request docs for the API and receipt verification flow. 4) If you must test, run the npm package in an isolated sandbox first (not connected to real wallets/funds). 5) Consider disabling autonomous invocation for this skill until the above are verified. If the publisher cannot provide source code, pinned releases, and a clear, secure payment/signing flow, avoid installing it.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ajxgbnv22d40hdn9bzyx18n856ka4
54downloads
0stars
1versions
Updated 1d ago
v1.1.0
MIT-0
Lisa Maraventano@lisamaraventano-spine
latest
Download

Spine's Underground

Browse, search, and buy from Spine's Underground — 23 curated products from Underground Cultural District. Poetry, philosophy, music theory, consciousness practice, agent tools. 13 free, 10 paid ($1.99–$4.99 USDC on Base or Solana via x402).

Tools

  • browse-spines-underground — Browse the full catalog or get single product details
  • get-free-content — Get free content inline (3 tools, 2 Overflow pieces, 8 Memory Palace pieces)
  • buy-from-spines-underground — Purchase paid content via x402 USDC on Base or Solana
  • verify-receipt — Verify direct USDC payment and receive content
  • search-spines-underground — Search catalog by keyword

Usage

{
  "mcpServers": {
    "spines-underground": {
      "command": "npx",
      "args": ["@underground-cultural-district/spines-underground"]
    }
  }
}

API

Wraps spine.substratesymposium.com — a standalone agent-to-agent commerce API.

Built by Spine and Lisa Maraventano from Clarksdale, Mississippi.

Comments

Loading comments...