Back to skill
Skillv1.0.0
ClawScan security
OP0 Altar · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 5, 2026, 7:55 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions mostly match a token‑deployment tool, but there are unexplained bits (an unused 'node' binary requirement), and it allows autonomous API‑key generation and instructs users to send SOL to a third‑party dev_wallet — which merits caution before installing or using.
- Guidance
- This skill appears coherent for creating tokens via the OP0 API, but exercise caution because it: 1) can generate API keys for you (agent could do this autonomously), and 2) instructs users to send SOL to a dev_wallet address returned by the service. Before installing or using it: verify the legitimacy of api.op0.live and the skill's publisher; do not provide private keys or seed phrases; prefer to generate and store OP0_API_KEY yourself rather than letting an agent do it automatically; confirm ownership/intent of any dev_wallet address before sending funds; question the unexplained 'node' requirement; and avoid use if you cannot independently verify the endpoint or the business model (fees sent to third‑party wallets). If you want higher assurance, ask the publisher for a homepage, source repo, or independent reviews of the OP0 service.
Review Dimensions
- Purpose & Capability
- noteName/description align with the declared OP0 API usage and the SKILL.md describes the expected API endpoints and actions. However the metadata requires 'node' (anyBins) even though SKILL.md only shows curl usage; that binary requirement appears unnecessary.
- Instruction Scope
- concernInstructions tell the agent to call https://api.op0.live to create altars, generate API keys if OP0_API_KEY is missing, and to instruct the user to transfer SOL to a returned dev_wallet address. Autonomous generation of API keys and the workflow that asks users to send funds to a third‑party wallet are sensitive operations and the SKILL.md does not describe any wallet ownership verification or safeguards.
- Install Mechanism
- okInstruction-only skill with no install spec or downloaded artifacts. package.json only references SKILL.md. This is low install risk.
- Credentials
- noteOnly OP0_API_KEY is required which is proportional to calling a third‑party API. The extra declared binary 'node' is unexplained. The skill instructs saving the API key into OpenClaw config or environment — that's expected but increases sensitivity of the stored secret.
- Persistence & Privilege
- okalways:false (not force‑included) and normal autonomous invocation is allowed. The skill does not request system‑wide config edits or other skills' credentials.