ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Test Debug Skill

v1.0.0

Agent Commerce Quick Start Guide. Learn how to build your first AI agent storefront.

0· 41·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md is a commerce 'quick start' guide (GreenHelix API, payments, on-chain identity) which matches the skill description. Minor mismatch: registry name/slug vs displayed name is cosmetic. The guide explicitly says you need a GreenHelix API key, but the skill metadata declares no required credentials—this inconsistency may be an oversight or poor packaging.
Instruction Scope
The instructions are high-level prose (agent registration, payment setup, marketplace listing). There are no concrete runtime commands, file reads, or instructions to collect system data or exfiltrate information. The content covers sensitive topics (payments, on-chain identity), but the guide itself doesn't instruct interacting with arbitrary local files or different external endpoints.
Install Mechanism
No install spec and no code files — instruction-only. This is the lowest-risk install mechanism because nothing is written to disk by the skill itself.
!
Credentials
The guide states 'You need ... a GreenHelix API key' (api.greenhelix.net) but the skill's metadata lists no required env vars or primary credential. That mismatch is meaningful: if you later supply an API key to your agent for use with this guide, the skill could be invoked with transactional capabilities despite not explicitly declaring credential requirements. The skill should declare any credentials it expects so users can judge proportionality.
Persistence & Privilege
Defaults are used (always: false, agent invocation allowed). The skill does not request persistent presence or system-wide config changes.
What to consider before installing
This is an instruction-only guide that appears to teach how to use the GreenHelix API for agent storefronts. That makes sense given its description, but it explicitly says you need a GreenHelix API key while the skill metadata lists no required credentials. Before installing or using the skill: 1) Do not paste or store API keys or private keys into the skill metadata or chat unless you trust the skill's source. 2) Ask the publisher for a source/homepage and for the skill to declare required env vars (so you can provide least-privilege credentials). 3) Verify the domain (api.greenhelix.net) and official docs independently. 4) If you plan to allow autonomous transactions, restrict keys to test/sandbox accounts and monitor transaction activity. If the publisher cannot explain why the credential declaration is missing, treat this as an unresolved packaging/consent issue and avoid supplying secrets.

Like a lobster shell, security has layers — review code before you run it.

greenhelixvk974qf1vfvwrr02g4t9rsn9fax84fd14latestvk974qf1vfvwrr02g4t9rsn9fax84fd14testvk974qf1vfvwrr02g4t9rsn9fax84fd14

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments