ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Commerce Quick Start: Your First Autonomous Transaction in 30 Minutes

v1.3.1

Agent Commerce Quick Start: Your First Autonomous Transaction in 30 Minutes. Free quick-start guide to agent commerce: what it is, how x402 works, your first...

0· 91·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchasesRequires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill is an instructional quick-start for agent commerce; GREENHELIX_API_KEY, an agent signing key, and a Stripe API key can be reasonable for a full production walkthrough. However the SKILL.md explicitly states the GreenHelix sandbox requires no API key for initial exploration, so declaring GREENHELIX_API_KEY and STRIPE_API_KEY as required in metadata is inconsistent with the guide's own text and suggests the declared requirements may be broader than necessary.
Instruction Scope
SKILL.md appears to be an educational guide with example calls and notes that it 'does not execute code or install dependencies.' It references the three credentials but only as things you supply in your environment; it does not instruct the agent to read other unrelated files or contact unexpected endpoints in the visible excerpt.
Install Mechanism
No install spec and no code files are present (instruction-only), which minimizes on-disk risk.
!
Credentials
Requesting AGENT_SIGNING_KEY (a private Ed25519 key) and STRIPE_API_KEY is sensitive. For a tutorial that claims the sandbox requires no API key, treating these three env vars as required is disproportionate. If provided at runtime, the skill would have access to secrets capable of authorizing payments and signing agent actions — a high-privilege combination.
Persistence & Privilege
always is false and the skill is not asking to modify other skills or system settings. It does, however, request environment credentials which, if supplied, the agent (and any invoked skill code) could use during execution.
What to consider before installing
This is an instructional guide that looks legitimate, but it asks for highly sensitive secrets in its metadata while also saying the GreenHelix sandbox needs no API key. Do not export real private keys or live Stripe production keys to this skill unless you trust the publisher and understand exactly how those keys will be used. Prefer using sandbox/test keys or ephemeral, scoped credentials for experimentation. Ask the publisher for source code or a homepage before supplying secrets; if you must test, use Stripe test keys and a throwaway agent signing key, and never reuse production signing keys or payment credentials.

Like a lobster shell, security has layers — review code before you run it.

agent-commercevk97490y4mqcwkwmcyncmtxqhr584x6azai-agentvk97490y4mqcwkwmcyncmtxqhr584x6azbeginnervk97490y4mqcwkwmcyncmtxqhr584x6azfreevk97490y4mqcwkwmcyncmtxqhr584x6azgreenhelixvk97490y4mqcwkwmcyncmtxqhr584x6azguidevk97490y4mqcwkwmcyncmtxqhr584x6azlatestvk97490y4mqcwkwmcyncmtxqhr584x6azopenclawvk97490y4mqcwkwmcyncmtxqhr584x6azquick-startvk97490y4mqcwkwmcyncmtxqhr584x6aztutorialvk97490y4mqcwkwmcyncmtxqhr584x6azx402vk97490y4mqcwkwmcyncmtxqhr584x6az

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvGREENHELIX_API_KEY, AGENT_SIGNING_KEY, STRIPE_API_KEY
Primary envGREENHELIX_API_KEY

Comments