ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

A2A SHIB Payment System

v2.0.0

Framework-agnostic agent-to-agent payment system with SHIB on Polygon. Provides trustless escrow, price negotiation, and reputation system. 9,416x cheaper than traditional escrow (~$0.003 gas).

0· 1k·1 current·1 all-time
byMarc Smith@marcus20232023
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description match the contained code (payments, escrow, negotiation, reputation). However the registry metadata declares no required environment variables while SKILL.md and multiple docs require a wallet private key (WALLET_PRIVATE_KEY / POLYGON_PRIVATE_KEY), RPC_URL, and SHIB_CONTRACT_ADDRESS. That discrepancy is an incoherence that should be fixed before trusting the skill.
!
Instruction Scope
Runtime instructions tell operators to put a private key in .env.local, run the agent (node a2a-agent-full.js), and optionally expose it via Cloudflare Tunnel / systemd / Docker. The agent accepts free-form A2A JSON-RPC text commands that map directly to payment/escrow operations. If the HTTP endpoints are not locked down, remote actors could trigger payments. The docs also recommend backing up .env.local and state files (potential secret leakage) and saving docs to Qdrant — both raise confidentiality concerns. There are also inconsistent env var names across docs (WALLET_PRIVATE_KEY vs POLYGON_PRIVATE_KEY).
Install Mechanism
Install is a local npm install (package: "."). No external arbitrary download URLs are used in the install spec, which is lower risk than fetching remote binaries. Still, you should inspect package.json dependencies and run npm audit before installing.
!
Credentials
Requesting a wallet private key is expected for a payment agent, but it's a highly sensitive credential. The registry metadata not listing required env vars is inconsistent with the SKILL.md. The skill also references other potentially sensitive configuration (auth-config.json, audit logs, Qdrant storage, backups) without clearly declaring corresponding required environment variables or access controls — this is disproportionate and increases the attack surface.
Persistence & Privilege
The skill does not request always:true and default autonomy is allowed (normal). It does recommend installing as a systemd service and exposing via Cloudflare Tunnel or Docker, which gives it persistent, network-exposed presence if you follow the docs. Persistent exposure combined with insufficiently described auth controls is risky, but persistence itself is not inherently incoherent for a networked payment agent.
Scan Findings in Context
[unicode-control-chars] unexpected: Prompt-injection pattern found in SKILL.md. This may be an artifact of the source or an attempt to manipulate downstream parsers; it is not expected for installation docs and warrants review of the SKILL.md and any embedded files for hidden control characters or malicious formatting.
What to consider before installing
What to consider before installing: - Do not run this with a real private key on a machine or network you don't control. The code expects a wallet private key (sensitive). Prefer a hardware wallet or a signing proxy; never place production private keys in a plain .env file if you can avoid it. - The registry metadata did NOT declare required env vars but the SKILL.md does — that's an inconsistency. Ask the publisher to fix metadata and clearly document required env names and where secrets are stored. - Inspect package.json and run npm audit. Review auth.js, rate-limiter.js, and audit-logger.js to confirm how API keys and permissions are enforced. Verify that the agent does not accept unauthenticated JSON-RPC commands that can move funds. - Don't expose the agent to the public internet until you verify authentication, rate limits, and request validation. The docs suggest Cloudflare Tunnel and systemd — both fine if properly secured, but the README currently lacks concrete, enforceable defaults for API auth. - Review backup and export scripts: the deployment docs propose backing up .env.local and state files; ensure backups are encrypted and access-controlled to avoid secret exfiltration. - Check for any telemetry, save-to-qdrant behavior, or remote endpoints the agent pushes data to; if you must store operational data in an external vector DB, confirm you control that endpoint and data retention policies. - If you can, run the project in a sandbox/testnet environment first (use a testnet RPC and throwaway key), exercise the endpoints, and confirm tests. Ask the author to provide minimal reproduction steps showing authenticated calls creating/funding/releasing a test escrow on a public testnet. Additional information that would change this assessment to 'benign': the publisher adding accurate registry metadata declaring required env vars, a short security design document showing how API auth is enforced by default, and a confirmed safe default that prevents unauthenticated payment commands when exposed to networks. If you need help reviewing specific files (package.json, auth.js, and index.js entrypoints), provide them and I can highlight exact code paths that perform signing, network calls, and any risky behaviors.

Like a lobster shell, security has layers — review code before you run it.

latestvk978a508b230tz56nkq32rkrvd80yxfx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, npm

Install

Install dependencies (npm install)npm i -g .

Comments