Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Crawdaddy
v1.0.0Autonomous scanner detecting quantum-unsafe ECDSA, smart contract risks, and agent credential exposures with compliance-ready post-quantum security reports.
⭐ 0· 93·0 current·0 all-time
byMichael Bennett@mbennett-labs
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
SKILL.md and README describe an autonomous scanner that integrates with GitHub/GitLab, blockchain RPCs, and agent platforms and produces JSON/PDF/HTML reports. However, the bundle contains no code, no install, and declares no required credentials or endpoints. A legitimate autonomous scanner would normally include scanning code or call an external service endpoint and would typically require API tokens (or at least document how to access public/private repos and RPC nodes). The stated pricing and proprietary reporting model further imply an external service, but the skill provides no runtime instructions tying into that service.
Instruction Scope
The SKILL.md is high-level and does not include concrete runtime commands or safe-scoped instructions. It instructs users to 'submit repository URL or smart contract address' and promises scanning agent credentials and MCP packages for unencrypted keys — but it does not specify how the agent should obtain code, whether it should read local files, or which endpoints to call. This vagueness grants broad discretion and could lead to an agent reading local skill packages or environment data without clear boundaries.
Install Mechanism
There is no install spec and no code files beyond documentation (SKILL.md, README, package.json). That lowers the immediate file-system and supply-chain risk because nothing will be downloaded or executed by default from this bundle. However, it also means the skill's claimed functionality is unimplemented or intended to rely on external services not described here.
Credentials
The skill claims to scan private repos, blockchain nodes, and agent credentials, which would normally require access to GitHub/GitLab tokens, blockchain RPC endpoints (or provider API keys), and possibly privileged access to agent storage. Yet requires.env and primary credential fields are empty. The absence of declared credentials is disproportionate to the described capabilities and leaves unclear how the scanner is supposed to operate (local code analysis vs. remote service).
Persistence & Privilege
Flags show always:false and default autonomous invocation allowed. The skill does not request persistent presence or system-wide configuration changes, and there is no install step that writes to disk. From a privilege/persistence perspective the bundle is low-impact as provided.
What to consider before installing
This package is suspicious because it promises a capable autonomous scanner but contains only documentation and no implementation or credential requirements. Before installing or enabling it: 1) Ask the publisher for the actual scanner code or a concrete runtime endpoint and an explanation of where scanning work runs (local vs. remote). 2) Verify how private repos or RPC nodes are accessed — do not provide GitHub tokens, RPC keys, or agent credentials unless you trust and have reviewed the service code. 3) Request a sample report produced from a known public repo and the exact commands/tools used (solidity analyzers, linters, PQC checks). 4) Validate the vendor identity (domain, email, GitHub repo) independently and check for an open-source scanner you can audit. 5) If you must test, do so in an isolated environment and avoid granting access to production secrets or private repos. If the publisher intends this skill to call an external paid service, that behavior should be explicit in SKILL.md and the skill should require only the minimal credentials needed for that service.Like a lobster shell, security has layers — review code before you run it.
latestvk97fkx1kf2rj8ee8trkqe9pb4s836s4m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.