ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Social Skill

v0.1.0

Manage Farcaster social interactions, casting, and feed monitoring. Trigger this when users want to post casts, check their feed, or interact with other agents.

0· 211·0 current·0 all-time
by@mrxlolcat
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md claims integration with 'Neynar API', ElevenLabs TTS, and a publishCast tool at /src/agent/tools/farcaster.ts, but the skill bundle contains no code, no tool implementations, and no homepage/source. It is unclear how the skill would legitimately perform posting or identity verification as described.
!
Instruction Scope
Runtime instructions direct the agent to draft posts, call an external TTS bridge, automatically attach transaction hash links for swaps, and 'verify' Farcaster identities — all actions that require concrete APIs, auth, or access to transaction data. The SKILL.md does not specify endpoints, auth flows, or how to obtain/verify required data, which is scope creep and ambiguous.
Install Mechanism
This is instruction-only (no install spec, no files beyond SKILL.md), which reduces disk-write risk. However the skill allows use of the Fetch tool and explicitly instructs network interactions with external services (Neynar, ElevenLabs), so the agent could make outbound requests if invoked.
!
Credentials
The instructions implicitly require API credentials (Neynar, ElevenLabs) and possibly transaction/chain-read access, but the registry metadata lists no required environment variables or primary credential. That mismatch is a red flag: the skill expects external service access but does not declare how that will be provided or protected.
Persistence & Privilege
The skill is not always-enabled and uses default autonomous invocation settings. It does not request elevated platform persistence or claim to modify other skills/config — no immediate privilege escalation is visible from the metadata.
What to consider before installing
This skill's description claims posting, TTS, and identity verification, but the package contains only a prose SKILL.md and no code or declared credentials. Before installing, ask the publisher for: (1) source repository or homepage and the actual publishCast tool implementation, (2) explicit list of required API endpoints and environment variables (Neynar and ElevenLabs keys) and how they are stored, (3) details on how Farcaster identity verification is performed. Treat the skill as potentially able to make arbitrary outgoing HTTP requests (it uses Fetch). If you must test it, do so in a restricted/sandboxed environment and do not provide real API keys or sensitive transaction data until you can review the code and confirm the endpoints and auth flows.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f976vvnkz428ck5n8j6rpdh82whbe

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments