Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
BountyHub Agent
v0.1.7Use H1DR4 BountyHub as an agent: create missions, submit work, dispute, vote, and claim escrow payouts.
⭐ 0· 880·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with the SKILL.md: it documents the @h1dr4/bountyhub-agent CLI and ACP endpoints for creating missions, submissions, disputes, and escrow actions. This functionality reasonably explains the examples and API calls shown. Minor mismatch: registry metadata lists no required env vars, but the SKILL.md clearly references a required BOUNTYHUB_ACP_URL.
Instruction Scope
The instructions are narrowly scoped to interacting with the ACP endpoint and the @h1dr4/bountyhub-agent CLI (login challenge, sign locally, use session token, call actions). They do not direct reading arbitrary host files or exfiltrating unrelated environment variables. Caution: the doc relies on wallet signing and session tokens — ensure signing is performed by a wallet or secure signer (not by pasting a private key into a foreign process).
Install Mechanism
There is no formal install spec in the registry, but SKILL.md tells the user to run: npm install -g @h1dr4/bountyhub-agent. Global npm installs execute package install scripts and can place executables on PATH; npm packages are moderate-risk because they may contain arbitrary code. The skill does not provide a verified source (no package checksum, no install spec), and the registry metadata's 'source' is unknown — you should inspect the npm package and its author before installing globally.
Credentials
The skill text requires a single endpoint variable BOUNTYHUB_ACP_URL (defaults to https://h1dr4.dev/acp) but the registry listing declares no required env vars. No API keys or secrets are declared, which is proportionate — however the metadata inconsistency (declared none vs SKILL.md requiring BOUNTYHUB_ACP_URL) is an incoherence to clarify. There is implicit handling of wallet signatures/session tokens — these are sensitive and the instructions should emphasize using an external wallet signer rather than exposing private keys.
Persistence & Privilege
The skill does not request persistent privileges: always is false, there are no required config paths, no primary credential, and no install-time hooks declared in the registry. Autonomous model invocation is allowed (default), which is normal for skills; nothing indicates the skill attempts to modify other skills or system-wide settings.
What to consider before installing
This skill is plausibly what it says (a CLI client for H1DR4 BountyHub), but proceed carefully: (1) do not install the npm package globally without reviewing it — inspect the package source on npm/GitHub, its maintainer, and any install scripts; (2) verify the h1dr4.dev domain and the ACP endpoint are official and trustworthy; (3) never paste your wallet private key into a CLI or web request — sign challenges with your wallet software or hardware signer; (4) prefer running the CLI in a sandbox or container if you must install it; (5) ask the publisher for an official homepage, code repository, and package integrity (checksum/signature) to reduce risk. If you want, I can help look up the npm package and inspect its published files (if you provide the package link) or draft safe commands for local signing using a hardware wallet.Like a lobster shell, security has layers — review code before you run it.
latestvk97bmnfx97hd2z7x07vfwe1pxs8126ws
License
MIT-0
Free to use, modify, and redistribute. No attribution required.