ClawHub

Molt Sift

v0.1.0

Validate and extract high-confidence signals from JSON, text, or streams using customizable rules, with schema validation and integrated Solana bounty payments.

0· 289·0 current·0 all-time
by@noizceera
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill advertises PayAClaw and Solana x402 payment integration (auto-triggered USDC transfers) but manifest/registry metadata declare no required environment variables, no credential, and no config paths. A payment-capable bounty agent legitimately needs private keys/API keys (Solana wallet, x402 key, PayAClaw API key); their absence in the declared requirements is incoherent.
!
Instruction Scope
SKILL.md and the included API/agent code instruct running an HTTP /bounty endpoint, an auto-claiming bounty watcher, and automatic payment triggers. Those runtime instructions allow network interactions that can claim jobs, submit results, and initiate payments — operations that extend beyond simple local data validation and should require explicit configuration and authentication. The instructions give broad discretion (auto-claim/auto-pay) without describing safeguards or auth.
Install Mechanism
There is no install spec (no external download), which reduces installer risk. However the package contains multiple executable Python scripts (CLI entry point, Flask API, bounty agent, Solana/payment client) that will be written to disk if installed. That is expected for a tool of this type but means the code will run on the host and can perform network I/O — so review of code is required before installation.
!
Credentials
The code and docs clearly expect secrets (PAYACLAW_API_KEY, X402_API_KEY, SOLANA_WALLET/private key, SOLANA_RPC) in deployment guides, but the skill metadata declares none as required. Requesting no credentials while promising payment functionality is disproportionate and ambiguous: either the payment code is stubbed/mocked (safe but misleading) or it will attempt to use credentials from unspecified locations (unsafe).
Persistence & Privilege
always:false (good). The skill can be invoked autonomously (platform default). Combined with auto-claim and auto-pay behavior this increases potential impact, but autonomous invocation alone is not a disqualifier — it's the combination with payment flows and missing auth that raises concern.
What to consider before installing
Do not install or run this skill on any environment with real keys or funds without manual review. Things to verify with the author or before running: - Is the PayAClaw/x402 integration truly mock-only? Identify which files implement real payment logic vs stubs. - Where and how are Solana wallet keys and API keys provided/loaded? The manifest declares no required env vars but the code and docs reference secrets — this must be explicit. - Audit send_payment / trigger_payment implementations to confirm they do not read arbitrary files or exfiltrate data and that they require explicit, well-documented credentials. - If you plan to run the API server, run it locally behind authentication or in an isolated sandbox (no real keys), and require API key/auth for POST /bounty before exposing to network. - Prefer running the test suite and reviewing test stubs to confirm payments are mocked; if you need production payments, require secure secret storage (not plaintext env without rotation) and limit network exposure. If you want, I can scan the specific payment-related functions (scripts/solana_payment.py, scripts/payaclaw_client.py, scripts/api_server.py, scripts/bounty_agent.py) and summarize exact code paths that perform network calls, key usage, or file access.

Like a lobster shell, security has layers — review code before you run it.

a2a-economyvk974gwp2t62xnc4f1cf6vcrdg581t5wnbountyvk974gwp2t62xnc4f1cf6vcrdg581t5wndata-qualityvk974gwp2t62xnc4f1cf6vcrdg581t5wnlatestvk974gwp2t62xnc4f1cf6vcrdg581t5wnmicro-paymentsvk974gwp2t62xnc4f1cf6vcrdg581t5wnsolanavk974gwp2t62xnc4f1cf6vcrdg581t5wnvalidationvk974gwp2t62xnc4f1cf6vcrdg581t5wn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments