ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ntriq Esg Regulatory Compliance

v1.0.1

Track ESG, AI, and environmental regulations across US and EU. Federal Register and EUR-Lex monitoring, compliance timelines, industry impact analysis. Free...

0· 24·0 current·0 all-time
by@ntriq-gh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (ESG, AI, Federal Register, EUR-Lex monitoring) matches the SKILL.md content and example response. Monitoring public government sources does not inherently require credentials, so the absence of required env vars can be plausible. However the README advertises 'pay-per-use' and references an Apify listing and a proprietary domain (https://x402.ntriq.co.kr) without declaring any credentials or payment token requirements, which is an unexplained omission.
Instruction Scope
SKILL.md is instruction-only and provides parameter schema and a single example curl to https://x402.ntriq.co.kr/services. It does not instruct reading local files, environment variables, or other system state. However it is vague about runtime behavior: no authentication headers, no error-handling guidance, and no explicit instruction on what endpoints to call for each parameter. The lack of clear, constrained runtime steps gives the agent broad discretion to call an external service.
Install Mechanism
There is no install spec and no code files; the skill is purely documentation/instruction. That minimizes on-disk execution risk.
Credentials
The skill requests no environment variables or credentials, which is consistent with accessing public sources. But the 'pay-per-use' wording and Apify/micropayments references suggest the service may require API keys or payment tokens in practice; the absence of declared credentials is an information gap that should be clarified before use.
Persistence & Privilege
The skill does not request always:true and will not be force-included. It uses the platform default allowing autonomous invocation, which is normal and not excessive here.
What to consider before installing
This skill appears to document a third-party regulation-monitoring API but is incomplete about how to call it and about authentication/payment. Before installing or invoking it: (1) verify the publisher and the https://x402.ntriq.co.kr domain (who runs it, TLS cert, privacy policy); (2) check the Apify listing and pricing to see whether API keys or payment tokens are required and where those should be stored (they are not declared in the skill); (3) avoid supplying any unrelated credentials and do not let the agent send local files or secrets to the external endpoint; (4) test calls in a controlled environment and monitor network traffic to understand what data is transmitted; (5) if you need stronger assurance, ask the publisher for explicit API docs and an explanation of required auth and data handling before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a9m7rv7p89nrm4gw3y9k9h984fmz6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments