Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Debank Skill
v1.0.0Query blockchain wallet data—balances, DeFi positions, tokens, NFTs, transactions, gas prices, and token approvals—across EVM chains via DeBank API.
⭐ 0· 76·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (querying wallets via DeBank) matches the SKILL.md: it instructs using the debank-cli to call DeBank Pro API endpoints. There are no unrelated credentials, binaries, or actions requested that don't fit the stated purpose.
Instruction Scope
The runtime instructions tell the agent to check for and/or install a global npm package (debank-cli), run the CLI commands, and inspect/set the CLI config (which is stored at ~/.debank-cli/config.json). These actions are expected for a CLI-based integration, but they do grant the skill the ability to run shell commands and read/write a local config file containing the API key — behavior the user should consciously accept.
Install Mechanism
There is no formal install spec in the registry; the SKILL.md instructs a user/agent to run `npm install -g debank-cli`. Installing a global package from the public npm registry is a reasonable installation approach for a CLI, but npm packages run code during install and are a moderate risk if the package or its maintainers are untrusted. No downloads from arbitrary URLs or archive extraction are requested.
Credentials
The skill requires a DeBank Pro API key (documented in SKILL.md and stored by the CLI). No other environment variables or unrelated credentials are requested. Requiring the API key is proportional to the skill's function.
Persistence & Privilege
The skill does not request elevated persistence (always:false) and does not ask to modify other skills or system-wide agent settings. It only uses the CLI's own config file to store the API key, which is normal for this workflow.
Assessment
This skill appears to do what it says: it uses the debank-cli to query DeBank. Before installing or running it, consider these practical steps: 1) Manually review and install debank-cli yourself rather than letting an automated agent run npm -g, because npm installs execute code during install. 2) Verify the npm package and repository (maintainers, recent activity, and checksums) to reduce supply-chain risk. 3) Provide a scoped/limited DeBank Pro key if possible and understand that the CLI will save it to ~/.debank-cli/config.json — protect that file (permissions) and avoid sharing the key elsewhere. 4) Prefer to run the CLI locally in a controlled environment (container, VM) if you are concerned about executing third‑party npm code. 5) If you want higher assurance, request the skill author publish an explicit install manifest (signed release or pinned package version) or provide an audited binary instead of leaving installation to an automated agent. If the SKILL.md had asked for unrelated credentials, contained external upload endpoints, or required downloads from arbitrary URLs, the assessment would be more suspicious.Like a lobster shell, security has layers — review code before you run it.
latestvk9766w5c9x8wek94r7mjgfa7r983nrcg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.