Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
GreenHelix API Mastery Bundle: 22 Hands-On Tutorials
v1.2.0Complete collection of 22 API-heavy tutorials covering the full GreenHelix A2A Commerce Gateway. Includes formal verification, incident response, migration,...
⭐ 0· 48·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description advertise hands‑on API tutorials. The SKILL.md frontmatter lists credentials (GREENHELIX_API_KEY, AGENT_SIGNING_KEY, STRIPE_API_KEY, SSH_DEPLOY_KEY, WALLET_ADDRESS) that are not justified by a readme-style tutorial bundle. Registry metadata earlier reported no required env vars, creating an internal inconsistency: either the bundle actually needs these sensitive secrets or the frontmatter is inaccurate.
Instruction Scope
The runtime instructions are mostly descriptive (list of guides) and do not include explicit commands, but they assert 'Every guide uses the production API with working code examples' and declare a set of credentials in frontmatter. That implies the agent or included sub-guides may expect real production credentials; there are no constraints or guidance to use sandbox/test keys, nor any explicit limits on what the agent should read/transmit. The 'includes' list bundles many sub-agents, increasing the attack surface without showing what each would do.
Install Mechanism
No install spec and no code files are present (instruction-only). Nothing will be downloaded or written to disk by an installer, which lowers risk from supply-chain install actions.
Credentials
The declared credentials are high-value and cross multiple domains (payment: STRIPE_API_KEY; code deployment: SSH_DEPLOY_KEY; cryptographic identity: AGENT_SIGNING_KEY; on-chain identity: WALLET_ADDRESS; product API key). For a tutorial bundle, requiring live production keys is disproportionate. Registry metadata reported no required env vars, so the skill's own declared credentials are inconsistent with the registry — a red flag.
Persistence & Privilege
always is false and there is no install or system modification requested. The skill is user-invocable and may be invoked autonomously (normal platform default), but it does not request permanent presence or modify other skills according to provided data.
What to consider before installing
This bundle's frontmatter requests several sensitive credentials but provides no technical code or install steps showing why they'd be needed. Before installing or providing any secrets: (1) Do not supply real production API keys, SSH deploy keys, signing keys, or wallet private keys. Use sandbox/test credentials if you want to follow examples. (2) Ask the publisher for verifiable source code or a homepage and explain why each credential is required and where it will be used/stored. (3) Inspect any included sub-agent SKILL.md files (agent-*) to see if they request additional secrets or perform network exfiltration. (4) Prefer offline or local copies of tutorial code you can review, and only give narrowly scoped, time-limited credentials with minimal privileges if absolutely necessary. Given the unexplained credential requests and lack of provenance, treat this skill as suspicious and proceed with caution.Like a lobster shell, security has layers — review code before you run it.
a2avk978573ar10eq518jdxb0t483184ry45ai-agentvk978573ar10eq518jdxb0t483184ry45apivk978573ar10eq518jdxb0t483184ry45bundlevk978573ar10eq518jdxb0t483184ry45commercevk978573ar10eq518jdxb0t483184ry45greenhelixvk978573ar10eq518jdxb0t483184ry45guidevk978573ar10eq518jdxb0t483184ry45latestvk978573ar10eq518jdxb0t483184ry45openclawvk978573ar10eq518jdxb0t483184ry45tutorialsvk978573ar10eq518jdxb0t483184ry45
License
MIT-0
Free to use, modify, and redistribute. No attribution required.