ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent-Ready Commerce: Retrofit Your APIs for AI Buyers

v1.0.0

Agent-Ready Commerce: Retrofit Your APIs for AI Buyers. Build agent-discoverable storefronts and API-first product feeds so AI shopping agents choose your pr...

0· 14·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchasesRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md promises production Python code against a remote 'GreenHelix A2A Commerce Gateway' (POST https://api.greenhelix.net/v1/v1/execute) and multi-protocol payment flows (UCP/ACP/x402). Yet the skill declares no required environment variables, no primary credential, and no config paths. A real integration and payment flow would normally require API keys, merchant credentials, or sandbox tokens; the absence of any declared credential requirements is an incoherence.
!
Instruction Scope
The instructions are large and include production integration and payment flow code (per header text). That scope often involves sending product catalogs, creating marketplace listings, and handling payments/escrow. Because the skill is instruction-only and declares no constraints, it could direct an agent to send merchant or customer data and payment credentials to the GreenHelix endpoint or to other endpoints. The SKILL.md excerpt does not show explicit safeguards (sandbox mode, placeholder tokens) or clear limits on handling PCI-sensitive data.
Install Mechanism
No install spec or code files are present; this lowers risk because nothing is written to disk by an installer. The skill is instruction-only, so there is no download/execute install step to evaluate.
!
Credentials
Given the guide's stated capabilities (marketplace listing, escrow, payment rails), requiring at least merchant/API credentials or sandbox keys would be expected. The skill declares zero required environment variables or primary credential, which is disproportionate and suggests either the instructions omit important security context (where to get credentials) or they assume the agent will supply secrets from the environment without the skill declaring them.
Persistence & Privilege
always is false, no special persistence or modifications of other skills/configs are declared, and autonomous model invocation is the platform default. No elevated persistence privileges were requested.
What to consider before installing
This guide looks valuable but inconsistent: it talks about production integrations and payment flows yet declares no credentials or sandbox mode. Before installing or running it, ask the publisher for: (1) a clear list of required API keys/merchant tokens and whether sandbox/test credentials are provided; (2) confirmation that all payment examples use PCI-compliant patterns and do not include hard-coded secrets; (3) the exact endpoints the code will call and whether any third-party endpoints (besides api.greenhelix.net) are used; (4) whether the code defaults to safe sandbox/test mode and how to opt out. If you plan to run examples, do so in an isolated environment (sandbox account, dummy payment instruments), review the full SKILL.md for any instructions that copy credentials into files or send customer/payment data to external services, and avoid enabling autonomous invocation until you confirm it will not transmit live payment or merchant credentials automatically. If you can provide the full SKILL.md sections that show example API calls or any code that handles credentials, I can give a higher-confidence assessment.

Like a lobster shell, security has layers — review code before you run it.

acovk97eszkx0zvj79txp05vgnnnad84hq9nacpvk97eszkx0zvj79txp05vgnnnad84hq9nagentic-commercevk97eszkx0zvj79txp05vgnnnad84hq9nai-agentvk97eszkx0zvj79txp05vgnnnad84hq9ndiscoveryvk97eszkx0zvj79txp05vgnnnad84hq9ngreenhelixvk97eszkx0zvj79txp05vgnnnad84hq9nguidevk97eszkx0zvj79txp05vgnnnad84hq9nlatestvk97eszkx0zvj79txp05vgnnnad84hq9nopenclawvk97eszkx0zvj79txp05vgnnnad84hq9nproduct-feedsvk97eszkx0zvj79txp05vgnnnad84hq9nucpvk97eszkx0zvj79txp05vgnnnad84hq9n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments