Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
psilo
v1.0.1Use this skill when an agent needs to: (1) create on-chain escrow contracts via EscrowFactory, (2) release escrowed funds via arbiter-signed transactions, an...
⭐ 0· 32·0 current·0 all-time
by@pakt
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (create and release on-chain escrows via the @pakt/psilo SDK) is coherent with the instructions. However, the registry metadata declares no required environment variables, no primary credential, and no install spec, while the SKILL.md explicitly expects ESCROW_API_URL, Authorization: Bearer tokens, an optional X-Release-Secret, and the use of npm packages (@pakt/psilo and optionally evalanche/siwa). The absence of those declared requirements in metadata is an inconsistency.
Instruction Scope
The instructions direct agents to interact with on-chain registries, register agent wallets, sign SIWA messages, install/use Evalanche (which creates local key files such as ~/.evalanche/keys/agent.json), obtain JWT bearer tokens, and call protected endpoints. Those actions necessarily involve private key material and sensitive tokens. Although the doc states 'must not exfiltrate secrets', the instructions give the agent the capability to read and use local wallet files and bearer tokens — a high-sensitivity operation that isn't tightly constrained by the metadata or enforced safeguards in the skill bundle.
Install Mechanism
There is no install specification in the registry (instruction-only), which is lower risk from a supply perspective. However, SKILL.md contains explicit npm install directions (e.g., 'npm install evalanche' and implies installing @pakt/psilo). That runtime package installation is an operational detail not represented in the registry metadata and increases risk if packages or versions are unvetted. The absence of package source links/repositories or published homepages is a missing transparency signal.
Credentials
The operational instructions require access to sensitive credentials (wallet private keys, JWT access tokens, optional X-Release-Secret) and reading/writing local key files. Yet the skill metadata declares no required environment variables or primary credential. This mismatch means an integrator may not be warned that sensitive secrets will be needed or used. Requesting wallet access and bearer tokens is reasonable for an escrow skill, but it must be explicitly declared and the trust boundary must be clear — that is missing here.
Persistence & Privilege
always:false (good) and autonomous invocation is allowed by default. Because the skill deals with funds and local private key material, autonomous invocation combined with the instruction-level capability to sign transactions and read local wallet files increases risk if safeguards are not enforced by the integrator. The SKILL.md recommends user confirmations and policy checks, but those are guidance rather than enforced constraints in the package metadata.
What to consider before installing
This skill appears to be a genuine escrow integration, but its registry metadata omits important operational requirements. Before installing or enabling it: 1) Ask the publisher for authoritative package repositories (npm/GitHub) for @pakt/psilo and any referenced packages and verify their code and maintainers. 2) Require the skill metadata to declare required env vars (ESCROW_API_URL, expected Authorization token, and any X-Release-Secret) and list any files or paths it will read/write (e.g., ~/.evalanche/keys/agent.json). 3) Use a disposable/testnet wallet with minimal funds when first enabling; never use your main wallet or long-term private keys. 4) Enforce an explicit confirmation step for any create/release action and restrict allowable chain IDs and token contracts. 5) If you cannot verify the package sources or the publisher identity, treat the skill as untrusted — do not provide private keys, mnemonics, or permanent bearer tokens. 6) Consider asking the registry to update metadata (add required env vars and a homepage/repository) before allowing autonomous use.Like a lobster shell, security has layers — review code before you run it.
latestvk9703mdgcfamx4x4n9671x3mgn84w675
License
MIT-0
Free to use, modify, and redistribute. No attribution required.