ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Commerce Discovery

v1.3.1

Agent Commerce Discovery. Build machine-readable service catalogs, knowledge graphs, and UCP/MCP/A2A protocol endpoints so AI shopping agents can discover, e...

0· 92·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchasesRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill describes a discovery/knowledge-graph guide for making services AI-discoverable, which can legitimately reference an API gateway key and signing keys for A2A interactions. However, the declared required environment variables include STRIPE_API_KEY and AGENT_SIGNING_KEY in addition to GREENHELIX_API_KEY; the SKILL.md text itself says the GreenHelix sandbox requires no API key to get started. Requiring a live Stripe key and a signing key is not obviously necessary for a discovery guide and appears disproportionate or at least unexplained.
Instruction Scope
SKILL.md is instruction-only and appears to include production Python examples that use GreenHelix and payment integration. The guide instructs using credentials (GREENHELIX_API_KEY, AGENT_SIGNING_KEY, STRIPE_API_KEY). It does not appear to instruct reading unrelated system files, but it does instruct use of highly sensitive secrets (signing key and Stripe key) which would allow an agent to sign requests and create payment intents if provided.
Install Mechanism
No install spec and no code files — this is instruction-only, so nothing will be written to disk or downloaded during install from the skill package itself (lower install risk).
!
Credentials
The skill requires three environment variables, including AGENT_SIGNING_KEY (Ed25519 private key) and STRIPE_API_KEY. Those are high-value secrets: the signing key can authorize agent-level requests and the Stripe key can create payment intents/charge cards. The SKILL.md also states the sandbox provides credits and 'no API key required to get started', which conflicts with the declared required env vars and undermines justification for providing live credentials.
Persistence & Privilege
The skill is not marked always:true and uses default autonomous invocation settings. It does not request to modify other skills or system-wide settings. Caveat: allowing an agent to act autonomously while giving it signing and payment credentials increases blast radius; that combination is a higher risk but is not flagged by any 'always' privilege here.
What to consider before installing
This skill is an instruction-heavy guide that references real gateway and payment integrations, but the package metadata requests sensitive keys that are not clearly justified. Before installing or providing credentials: (1) do not supply live Stripe secret keys or your private agent signing key — use Stripe test keys and ephemeral or scoped keys instead; (2) prefer creating a GreenHelix sandbox key or a limited-scope API key rather than full-production credentials; (3) verify with the publisher why these env vars are required despite the guide saying the sandbox needs no key; (4) review the code examples in the guide locally (offline) to see what actions they perform and whether they will create charges or sign/authorize requests; (5) if you must test, create dedicated, revocable test keys with minimal permissions and monitor them; and (6) if the author cannot explain the mismatch between the SKILL.md and the required env vars, treat the package as risky and avoid supplying sensitive secrets.

Like a lobster shell, security has layers — review code before you run it.

ai-agentvk976nh1m1mct6r2avmj9fsy2ph84wm19discoveryvk976nh1m1mct6r2avmj9fsy2ph84wm19greenhelixvk976nh1m1mct6r2avmj9fsy2ph84wm19guidevk976nh1m1mct6r2avmj9fsy2ph84wm19knowledge-graphvk976nh1m1mct6r2avmj9fsy2ph84wm19latestvk976nh1m1mct6r2avmj9fsy2ph84wm19mcpvk976nh1m1mct6r2avmj9fsy2ph84wm19openclawvk976nh1m1mct6r2avmj9fsy2ph84wm19schema-orgvk976nh1m1mct6r2avmj9fsy2ph84wm19structured-datavk976nh1m1mct6r2avmj9fsy2ph84wm19ucpvk976nh1m1mct6r2avmj9fsy2ph84wm19

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvGREENHELIX_API_KEY, AGENT_SIGNING_KEY, STRIPE_API_KEY
Primary envGREENHELIX_API_KEY

Comments