Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Xtown Skills

v0.1.0

Manage BNBTown identity, wallet, DeFi actions, token launch, and market research on BNB Chain using Unibase Pay and ERC-8004 autonomous Agent framework.

⭐ 0· 98·0 current·0 all-time

by@parasyte-x

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

high confidence

Purpose & Capability

The skill claims to manage BNBTown identity/wallet/DeFi and references Unibase Pay and an XTown server URL, which legitimately require authentication tokens and a server endpoint. However, the registry declares no required environment variables or credentials while SKILL.md and references/ files require XTOWN_SERVER_URL, UNIBASE_PROXY_AUTH (JWT), and optionally UNIBASE_AGENT_PRIVATE_KEY for automated login. That mismatch is incoherent: a wallet/DeFi skill should declare its required credentials explicitly.

Instruction Scope

The runtime instructions direct the agent to immediately (on load) check config.json and, if missing, start onboarding without waiting for an owner prompt ('DO NOT wait for the owner to ask'). The skill instructs internal calls (POST /v1/init) to obtain an authUrl, to persist JWTs into a local config.json per-agent entry, and provides an automated private-key path (Path B) if UNIBASE_AGENT_PRIVATE_KEY is present. Those behaviors go beyond passive documentation — they give the agent proactive, persistent responsibilities and access to sensitive auth material.

✓

Install Mechanism

No install spec and no code files — instruction-only. This limits supply-chain risk because nothing is downloaded or executed during install. The security surface is the runtime instructions and persisted configuration only.

Credentials

The skill requires storing and using UNIBASE_PROXY_AUTH (JWT) and optionally UNIBASE_AGENT_PRIVATE_KEY for silent login. The registry declared no required env vars; that's a clear omission. Requesting a private key (even as an optional automated path) is highly sensitive and should be explicitly declared and justified. Persisting JWTs in repo-local config.json also raises disclosure risk if that file is synced or backed up.

Persistence & Privilege

The skill instructs persisting tokens and session_token into a config.json and running a heartbeat every 60s to remain visible on the map. While storing session state is plausible for a wallet skill, the combination of: (1) automatic onboarding on load, (2) persistent token storage in a repo-local file, and (3) an automated private-key login path increases the blast radius if the skill or environment is compromised. The skill does not request 'always: true', but autonomous invocation plus these persistent credentials is sensitive.

Scan Findings in Context

[prompt-injection:ignore-previous-instructions] expected: The scanner matched 'ignore-previous-instructions'. In context the SKILL.md explicitly lists phrases to treat as prompt-injection and instructs the agent to refuse them — this appears to be a defensive anti-injection block rather than an attempted injection.

What to consider before installing

This skill appears to be designed to operate a custodial wallet and perform on-chain actions, which reasonably requires a server URL and an auth token (JWT). However, the registry metadata did not declare any required environment variables while the SKILL.md expects XTOWN_SERVER_URL and UNIBASE_PROXY_AUTH (and optionally a private key env) and tells the agent to persist those tokens in a local config.json. Before installing: - Verify the skill's publisher/source (it's listed as unknown/no homepage). Prefer only skills hosted by known vendors. - Do NOT set UNIBASE_AGENT_PRIVATE_KEY or other private keys in the environment unless you fully trust the code and hosting; if present, the skill can authenticate silently. - Expect the skill to prompt you immediately on first load and to ask you to paste a JWT (authUrl flow). Make sure you understand where that token comes from and store it securely; avoid pasting private keys into chat. - Inspect or control where config.json will be written. If it will be stored in a repo, cloud-synced folder, or shared workspace, that is a high-risk location for tokens. - Ask the publisher to update registry metadata to explicitly declare required env vars (XTOWN_SERVER_URL, UNIBASE_PROXY_AUTH, UNIBASE_AGENT_PRIVATE_KEY) and to justify the automated login path. - If you proceed, limit the skill's autonomous privileges (if platform allows) and monitor any persisted tokens; revoke them immediately if you suspect misuse. Given the metadata/instruction mismatch and the proactive onboarding/persistence behavior, treat this skill with caution — the inconsistencies could be sloppy packaging or could enable unintended token exposure.

SKILL.md:64

Prompt-injection style instruction pattern detected.

About static analysis

These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk977eqqgdyb2j1h68pg429je5n836mbj

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Xtown Skills

License

Comments