ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

0xscada

v1.0.1

Decentralized Industrial Control Fabric. Bridges SCADA systems with blockchain-backed audit trails and Kannaka memory integration. Provides a unified API for...

0· 297·0 current·0 all-time
byNick Flach@nickflach
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Declared binaries (node, npm, curl, git) and optional docker match a Node-based SCADA server. Optional envs (WEB3_RPC_URL, PRIVATE_KEY, FLUX_*) align with blockchain/Flux integration the description promises.
!
Instruction Scope
Runtime instructions and the script launch a Node repository located outside the skill directory (SCADA_DIR default = ../../..). That means this skill will execute code from whatever repo exists at that path; if SCADA_DIR is incorrect or points to a workspace root you will start arbitrary project code. The script does validate presence of server/index.ts and package.json, but otherwise runs npm run dev in that repository — running unreviewed code is risky.
Install Mechanism
No external downloads; skill is instruction-only and includes an npm install step. However SKILL.md's Quick Start tells users to run npm install inside the skill directory, while the runtime actually starts a server in SCADA_DIR (which may be elsewhere). This mismatch could leave dependencies unstaged where the server expects them.
Credentials
No required env vars, but several sensitive optional envs are declared (PRIVATE_KEY, WEB3_RPC_URL, FLUX_AUTH_TOKEN). Those are justified by the described blockchain/Flux features, but supplying secrets to enable these features exposes them to the code run from SCADA_DIR — ensure the repository is trusted and keys are managed securely.
Persistence & Privilege
No 'always: true' or other elevated persistence flags. The skill runs a local process and does not modify other skills or system-wide agent settings.
What to consider before installing
This skill is a wrapper that runs a Node-based 0xSCADA repository found at SCADA_DIR (defaults to ../../../ relative to the skill). Before installing or running: (1) explicitly set SCADA_DIR to a vetted repository location; do not rely on the default relative path which can point at your workspace root; (2) inspect the target repository's package.json, npm scripts, and server/index.ts to confirm no unexpected commands or network exfiltration; (3) avoid providing PRIVATE_KEY or other secrets unless you fully trust the repository and the network endpoints (WEB3_RPC_URL, FLUX_URL) it will contact; consider using an ephemeral or isolated environment (container/VM) for initial testing; (4) note the SKILL.md/npm install guidance mismatch — ensure dependencies are installed in the same directory the server will run from. These issues make the skill potentially risky even though its declared purpose is coherent.

Like a lobster shell, security has layers — review code before you run it.

latestvk97agdhtpzcmb3hmjyn2w8b7pn82kf21

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Bins[object Object], [object Object], [object Object], [object Object]

Comments