Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Nansen Alerts Webhook Listener
v1.0.0Set up a local webhook server to receive Nansen smart alerts in real-time with HMAC signature verification and public tunneling. Use when a user wants to lis...
⭐ 0· 58·0 current·0 all-time
byNansen AI@nansen-devops
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description say it only sets up a local webhook receiver with HMAC verification and an optional public tunnel. However, the registry metadata requires the 'nansen' binary and declares NANSEN_API_KEY as the primary credential. The SKILL.md explicitly says it does NOT create or modify alerts, so requiring an API key and the nansen CLI is disproportionate and unexplained.
Instruction Scope
The runtime instructions are specific and constrained (bind to 127.0.0.1, POST /webhook, HMAC verification, 1 MB limit, graceful shutdown) which is good. But the instructions also reference additional environment variables (OPENCLAW_GATEWAY_URL, OPENCLAW_AUTH_TOKEN) that are not listed in requires.env, and they include optional forwarding of verified payloads to another local service. The agent is told to create and run a server and to expose it via a tunnel (ngrok/localtunnel) — acceptable for the purpose but the combination of forwarding to OpenClaw and undeclared env usage should be explicit in metadata.
Install Mechanism
The install spec installs an npm package 'nansen-cli' (creates 'nansen' binary). npm installs from the public registry are moderate risk but commonly acceptable. The concern is not the mechanism itself but that installing nansen-cli appears unnecessary for a listener that 'does NOT create or modify alerts'. If the CLI is only for testing, that should be documented; otherwise the requirement is disproportionate.
Credentials
Only NANSEN_API_KEY is declared as required/primary, but the SKILL.md never needs that key to run the webhook receiver (it verifies incoming HMACs with a separately generated WEBHOOK_SECRET). The instructions also reference OPENCLAW_GATEWAY_URL and OPENCLAW_AUTH_TOKEN (used for forwarding) but these are not declared as required or optional env vars. Requiring NANSEN_API_KEY without justification is a red flag — ask why the key is needed and do not supply it unless necessary.
Persistence & Privilege
The skill is not always-enabled and does not request permanent presence or elevated platform privileges. It also does not attempt to modify other skills. Normal autonomous invocation is allowed (default), which is expected for skills.
What to consider before installing
Do not install or provide secrets yet — ask the publisher why the skill requires 'nansen' and NANSEN_API_KEY when the doc says it only runs a local webhook server. Confirm whether you actually need the nansen CLI; if not, remove that requirement. Before running any generated server script: (1) inspect the exact code the skill will write (ensure HMAC timing-safe comparison is implemented correctly and there are no obvious bugs), (2) keep the tunnel only as long as needed and rotate any webhook secret afterward, (3) if you enable OpenClaw forwarding, verify the target URL and token are safe and declared in the skill metadata, and (4) prefer localtunnel only for short tests — ngrok is recommended for stability but requires its own auth token. If the publisher cannot justify the API key or the nansen install, consider the skill incoherent and avoid supplying credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97fhr5wtpnw533dnbbvw8z4b184kvhq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnansen, node
EnvNANSEN_API_KEY
Primary envNANSEN_API_KEY
Install
Node
Bins: nansen
npm i -g nansen-cli