Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AgentBooks
v0.1.5Financial management for AI agents. Track LLM inference costs, record confirmed income, manage multi-provider crypto wallets, and compute a Financial Health...
⭐ 0· 414·0 current·0 all-time
byacnlabs@neiljo-gy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (track costs, record income, manage wallets, compute Financial Health Score) match the SKILL.md content. The listed optional env vars and CLI commands (agentbooks guard, record-cost, record-income, wallet-connect, status, financial-health) are directly relevant to the described functionality and nothing unrelated is requested.
Instruction Scope
The runtime instructions tell the agent to run the third‑party CLI (agentbooks) and to use commands that will access a data directory, connect to wallet providers, and call out to external providers. The SKILL.md explicitly warns to sandbox and not to supply private keys; it does not instruct reading unrelated system files or secrets. It does assume access to runner token counts or the ability to call the runner's economy-hook if available. Overall the scope stays within a financial bookkeeping domain but enables networked wallet/provider operations.
Install Mechanism
There is no bundled code; the skill instructs the agent to install or npx an npm package from the public registry (agentbooks). Downloading and executing an unbundled npm package at runtime (especially via npx which fetches on each invocation) is a supply-chain risk: the package could contain arbitrary JS executed on the host. The skill does warn to review the repo before running, but the registry entry itself provides no install artifact or pinned integrity check.
Credentials
No required env vars are declared; only optional ones (AGENTBOOKS_AGENT_ID, AGENTBOOKS_DATA_PATH, AGENTBOOKS_PROVIDER, LLM_MODEL) that are reasonable for this tool. Wallet/provider credentials are necessarily part of the wallet-connect flow but the SKILL.md explicitly states it does not handle credential storage and delegates sensitive operations to the CLI. Requiring provider credentials would be expected for wallet management; the skill itself does not request unrelated secrets.
Persistence & Privilege
always:false and normal autonomous invocation are set (platform defaults). The skill does not request forced permanent inclusion or modify other skills. Note: allowing the agent to autonomously invoke a CLI that can connect to external providers increases operational risk if you permit the agent to run commands without human oversight, but that is a platform-level policy decision rather than an inconsistency in this skill.
Assessment
This skill is coherent with its purpose but relies on fetching and running an external npm package at runtime—treat that as the primary risk. Before installing/invoking: (1) review the referenced GitHub repo and npm package owners/versions; prefer a pinned version and verify package integrity (checksums or signed releases); (2) run the CLI first in a sandbox/container and monitor outbound network activity; (3) set AGENTBOOKS_DATA_PATH to a dedicated, non-shared directory; (4) do not connect real wallets or paste private keys until you understand the provider auth flow—use testnets or throwaway wallets for evaluation; (5) if you do not want the agent to run the CLI autonomously, restrict the skill’s invocation or require explicit human approval for wallet-connect and other sensitive commands.Like a lobster shell, security has layers — review code before you run it.
latestvk9778ep5b5fgtc9xgfvd9m01gd82na9p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.