ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Crypto Price Skill

v1.1.0

Provides real-time cryptocurrency prices in USD for any coin using the CoinGecko API, with a cost of 0.001 USDT per call.

0· 379·1 current·2 all-time
by@loverun321
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code: the skill queries CoinGecko for prices and attempts to bill via SkillPay. However, the skill publishes a hard-coded SkillPay API key in both SKILL.md and handler.py (not needed in the public README), and references SKILL_ID (used for billing) but SKILL_ID is not defined anywhere in the code or metadata — that is inconsistent and will break billing/operation.
!
Instruction Scope
SKILL.md exposes an API key and instructs Payment via SkillPay; the runtime code posts billing requests to https://skillpay.me and queries CoinGecko — no other system files are accessed. Exposing the API key in documentation is unnecessary and risky. The handler's exception path returns a demo/success flag on errors, which may cause inconsistent payment behavior (e.g., free_demo). There are also clear code bugs (indentation and undefined SKILL_ID) that indicate sloppy/unsafe implementation.
Install Mechanism
No install specification — the skill is instruction-only with a single handler.py. That minimizes installation risk (nothing is downloaded or executed during install).
!
Credentials
The package does not request any environment variables or credentials from the user, yet contains a hard-coded secret SKILLPAY_API_KEY in both SKILL.md and handler.py. Billing requires a skill identifier (SKILL_ID) that is not defined. Hard-coding a billing API key and embedding it in documentation is disproportionate and dangerous (secret leakage and unauthorized billing).
Persistence & Privilege
Skill does not request persistent privileges (always=false), does not modify other skills or system configs, and declares no config paths. Default autonomous invocation is allowed (platform default) but is not combined with any unusual privileges.
Scan Findings in Context
[HARD_CODED_SECRET_SKILLPAY_KEY] unexpected: A SkillPay API key (sk_...) appears in both SKILL.md and handler.py. Publishing a billing API key in code/docs is not necessary for a consumer and risks credential leakage and misuse.
[CODE_QUALITY_BUGS] unexpected: handler.py contains an indentation error around headers assignment and references SKILL_ID which is undefined. These will cause runtime errors and make billing behavior unpredictable.
What to consider before installing
Do not install this skill as-is. Key concerns: - The SkillPay API key is hard-coded and publicly exposed in SKILL.md and handler.py; if that key is valid it should be considered compromised and rotated immediately. - The code references SKILL_ID (required for billing) but it is not defined — billing will fail or behave unpredictably. - There is an indentation/formatting bug that likely breaks the charge flow; the exception path returns success/demo which can allow free use unintentionally. Actions to consider before using or installing: 1) Ask the publisher to remove any secrets from code and docs and to use a configured environment variable (e.g., SKILLPAY_API_KEY) instead. Verify that the key in the package is invalid or rotated. 2) Require the publisher to fix the undefined SKILL_ID and the indentation/logic bugs and to document expected billing behavior and endpoints. 3) Verify SkillPay account ownership and whether you (or your org) will be charged; test in a sandbox environment with a rotated/test API key first. 4) If you already installed or used the skill with the exposed key, treat that key as compromised and rotate it. Given the combination of exposed secret, billing endpoint, and code bugs, treat this skill as untrustworthy until the author fixes these issues and removes secrets from the package.

Like a lobster shell, security has layers — review code before you run it.

latestvk974h60p0a5awbfne62sx8qsk583k2wt
379downloads
0stars
2versions
Updated 8h ago
v1.1.0
MIT-0
@loverun321
latest
Download

Crypto Price Skill

Get real-time cryptocurrency prices.

Features

  • Get price for any cryptocurrency
  • Returns price in USD
  • Uses CoinGecko API (free)

Price

  • 0.001 USDT per call
  • Payment via SkillPay

Usage

  • "Bitcoin price"
  • "ETH price"
  • "Solana price"
  • "Crypto prices"

Integration

  • API Key: sk_93c5ff38cc3e6112623d361fffcc5d1eb1b5844eac9c40043b57c0e08f91430e
  • Price: 0.001 USDT per call

Comments

Loading comments...