Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
The Protocol Wars: Agent Commerce Protocol Comparison — x402, ACP, MCP, A2A and Beyond
v1.3.1The Protocol Wars: Agent Commerce Protocol Comparison — x402, ACP, MCP, A2A and Beyond. Comprehensive comparison of 8+ competing agent commerce protocols (x4...
⭐ 0· 79·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is presented as an educational, non-executing guide with illustrative examples. Despite that, its metadata and frontmatter require WALLET_ADDRESS, AGENT_SIGNING_KEY, and STRIPE_API_KEY. A static guide normally should not demand live credentials — at most it would suggest optional test keys. The presence of a required AGENT_SIGNING_KEY (a private signing key) and a live payment key is not proportional to a read-only comparison document and is unexplained.
Instruction Scope
The SKILL.md says it does not execute code and uses a public sandbox that requires no API key, yet it also explicitly lists credentials and instructs the reader to supply them in their environment. The instructions (as provided) do not show commands that would legitimately need these env vars for reading the guide; this is unnecessary scope creep that could cause the agent runtime to access secrets when nothing in the document requires execution.
Install Mechanism
There is no install spec and no code files — instruction-only. That minimizes on-disk risk; nothing is downloaded or executed by default.
Credentials
Required env vars include AGENT_SIGNING_KEY and STRIPE_API_KEY which are sensitive. WALLET_ADDRESS (a public address) is plausible for examples, but listing a private signing key and a payments API key as required is disproportionate for a guide. The SKILL.md does not justify why these must be provided (e.g., for live transactions vs. optional demo/test values).
Persistence & Privilege
The skill is not always-included and has no install step, so it does not request persistent system presence or elevated privileges. Autonomous invocation is allowed by platform default but not combined with other privilege escalations in this skill.
What to consider before installing
This appears to be a read-only guide and does not need real secrets to be useful. Do not set AGENT_SIGNING_KEY or a production STRIPE_API_KEY as environment variables just to install or read this guide. If you want to run the examples, use sandbox/test keys only (and verify the examples are safe first). Prefer providing only a public WALLET_ADDRESS (if needed) and never paste private signing keys into a skill environment unless you fully trust the author and have audited any code that will use them. If you need to evaluate this skill more deeply, request clarification from the author on why credentials are required, ask for an option to run examples with non-sensitive test keys, or review the full SKILL.md locally (offline) before populating env vars.Like a lobster shell, security has layers — review code before you run it.
a2avk97antpjdv8a4gq9pmtf2am36184xbqvacpvk97antpjdv8a4gq9pmtf2am36184xbqvai-agentvk97antpjdv8a4gq9pmtf2am36184xbqvcomparisonvk97antpjdv8a4gq9pmtf2am36184xbqvgreenhelixvk97antpjdv8a4gq9pmtf2am36184xbqvguidevk97antpjdv8a4gq9pmtf2am36184xbqvlatestvk97antpjdv8a4gq9pmtf2am36184xbqvmcpvk97antpjdv8a4gq9pmtf2am36184xbqvopenclawvk97antpjdv8a4gq9pmtf2am36184xbqvprotocolsvk97antpjdv8a4gq9pmtf2am36184xbqvx402vk97antpjdv8a4gq9pmtf2am36184xbqv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvWALLET_ADDRESS, AGENT_SIGNING_KEY, STRIPE_API_KEY
Primary envWALLET_ADDRESS