ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Non-Human Identity Security for AI Agents

v1.3.1

Non-Human Identity Security for AI Agents. Complete guide to securing non-human identities in AI agent deployments. Covers NHI lifecycle management, credenti...

0· 76·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchasesRequires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill is an instruction-only security guide. Requiring a Stripe API key (STRIPE_API_KEY) does not align with a documentation/guide purpose — the published SKILL.md explicitly says the GreenHelix sandbox requires no API key. AGENT_SIGNING_KEY could be relevant for illustrative signing examples, but demanding it as a primary credential for a read-only guide is unexpected.
!
Instruction Scope
The SKILL.md is framed as educational and non-executing, but it also says it contains 'production-ready Python code' and lists two credentials that the user 'supplies in your own environment.' That encourages providing sensitive secrets to the agent runtime. The instructions do not show explicit exfiltration, but they grant the agent access to secrets without clear, necessary justification and could lead users to paste real keys into examples.
Install Mechanism
No install spec and no code files — the skill is instruction-only, so nothing will be downloaded or written to disk by the skill itself. This minimizes installation risk.
!
Credentials
Two required env vars are declared: AGENT_SIGNING_KEY (primary) and STRIPE_API_KEY. STRIPE_API_KEY appears unrelated to a generic NHI security guide and is disproportionate for an instructional document. AGENT_SIGNING_KEY might be reasonable for signing examples, but making it a required primary credential for a guide that claims sandbox examples don't need keys is inconsistent. Both names are sensitive (KEY / API_KEY) and should not be requested without clear, unavoidable need.
Persistence & Privilege
The skill is not always-included and uses default autonomous invocation settings; it does not request system-wide persistence, nor does it modify other skills or system configuration. No elevated platform privileges are declared.
What to consider before installing
This is an instructional guide and contains no installable code, but the metadata asks for two sensitive environment variables — notably STRIPE_API_KEY — which the SKILL.md itself says are not required for the GreenHelix sandbox. Before installing or enabling this skill: (1) Do not provide real production API keys or private signing keys. Use ephemeral/test keys if you want to try examples. (2) Inspect the full SKILL.md to locate where AGENT_SIGNING_KEY and STRIPE_API_KEY would be used; if examples show network calls, verify they target sandbox endpoints. (3) Ask the publisher why a payment processing key is required for an NHI security guide; absence of a clear explanation is a red flag. (4) If you must run code from the guide, do so in an isolated environment and review any code examples for outbound calls or data transmission before supplying secrets. If the publisher cannot justify the env var requirements, treat the metadata as untrusted and avoid supplying sensitive credentials.

Like a lobster shell, security has layers — review code before you run it.

agent-securityvk97e4trr87jebv1tddg3bpm3x984wrqxai-agentvk97e4trr87jebv1tddg3bpm3x984wrqxgovernancevk97e4trr87jebv1tddg3bpm3x984wrqxgreenhelixvk97e4trr87jebv1tddg3bpm3x984wrqxguidevk97e4trr87jebv1tddg3bpm3x984wrqxlatestvk97e4trr87jebv1tddg3bpm3x984wrqxmachine-identityvk97e4trr87jebv1tddg3bpm3x984wrqxnhivk97e4trr87jebv1tddg3bpm3x984wrqxnon-human-identityvk97e4trr87jebv1tddg3bpm3x984wrqxopenclawvk97e4trr87jebv1tddg3bpm3x984wrqxsecurityvk97e4trr87jebv1tddg3bpm3x984wrqxzero-trustvk97e4trr87jebv1tddg3bpm3x984wrqx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvAGENT_SIGNING_KEY, STRIPE_API_KEY
Primary envAGENT_SIGNING_KEY

Comments