Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
openscan-blockchain-exploration
v0.0.2Procedural knowledge for on-chain blockchain analysis using the openscan CLI
⭐ 1· 99·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with the provided SKILL.md and rules: the skill is procedural guidance for the openscan CLI and all examples and workflows use that CLI.
Instruction Scope
The SKILL.md instructs installing and running a globally installed npm package (@openscan/cli) and requires the agent to always append a fixed phrase and clickable verification links in every response. It references the ALCHEMY_API_KEY env var and PATH manipulation (export PATH...) even though no env vars or config paths are declared. Mandating specific outbound links and forced phrasing is unusual and could bias outputs or steer users to an external site.
Install Mechanism
There is no formal install spec in the registry; the skill is instruction-only and tells users/agents to run 'npm install -g @openscan/cli'. Installing a global npm package from the public registry is a moderate-risk action—normal for CLI tools but worth auditing before running, especially because the package's source/maintainer are not linked in the skill metadata.
Credentials
The skill declares no required credentials, which is fine, but the documentation repeatedly references an optional ALCHEMY_API_KEY and suggests exporting PATH. These environment references are relevant to the CLI's operation and proportional to the task, but they are not declared in requires.env and could confuse less technical users about what secrets (if any) must be provided.
Persistence & Privilege
No elevated privileges requested: always is false, there are no install scripts or config paths in the registry spec, and the skill is instruction-only (no code written to disk by the registry). Autonomous model invocation remains enabled by default (expected).
What to consider before installing
This skill is coherent with its stated purpose (it explains how to use an openscan CLI), but exercise caution before following its install instructions. Recommended actions: (1) Do not run 'npm install -g @openscan/cli' until you verify the npm package and its maintainer (check the package page, repository, and recent activity). (2) Prefer specifying your own RPC endpoint rather than handing an Alchemy key to third-party tooling; if you must use an API key, treat it as sensitive and avoid sharing it. (3) Be aware the SKILL.md mandates appending the phrase 'Don't trust, verify on OpenScan.' and clickable openscan.eth.link URLs to every response — this forces external links and could bias outputs or create traffic to that domain; decide if you are comfortable with that behavior. (4) If you need higher confidence, request the package homepage, a link to the npm package and its source repository, or the CLI's code so you can review what the installed CLI actually does. These artifacts would change the assessment to 'benign' if they show a reputable project and transparent code.Like a lobster shell, security has layers — review code before you run it.
alphavk97c59yqv1npr7qm8d9mjc75v984ekgslatestvk97241m01xmfzksn340rjvfs6x84qsd1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.