ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

XPR DeFi

v2.1.1

Read-only DeFi queries for Metal X prices, swap rates, liquidity pools, and multisig proposal creation, approval, listing, and cancellation on XPR Network.

0· 676·1 current·1 all-time
by@paulgnz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md and src/index.ts implement both read-only queries and many write operations (orders, swaps, liquidity, multisig propose/approve/cancel). However, skill.json declares no required environment variables or credentials. The top-line description sometimes calls the skill "read-only" while the tool list and code clearly include write tools — this is an explicit mismatch. A DeFi skill that supports on-chain writes legitimately needs a signing key and RPC endpoint; those are missing from the declared requirements.
!
Instruction Scope
SKILL.md places sensible constraints (e.g., all write ops require confirmed:true and multisig proposals must be explicitly requested), but it does not disclose that write tools require access to your XPR private key, account, and RPC endpoint. The runtime instructions therefore omit critical operational details the agent will need to perform writes. The code itself reads process.env.XPR_PRIVATE_KEY, XPR_ACCOUNT, and XPR_RPC_ENDPOINT for write operations — this is not documented in requires.env.
Install Mechanism
There is no install spec (instruction-only), which minimizes installer-side risk. However, the code dynamically imports '@proton/js' at runtime and includes source + tests but no declared dependencies in skill.json. That mismatch means the skill may fail at runtime or attempt to load packages unexpectedly from the environment; the skill author should declare dependencies.
!
Credentials
The code requires highly sensitive environment variables for write actions: XPR_PRIVATE_KEY (private signing key), XPR_ACCOUNT, and XPR_RPC_ENDPOINT, but skill.json's requires.env is empty and no primary credential is declared. Requesting a raw private key is proportionate for on-chain writes only if clearly declared and justified — here that justification is present in function, but it is not reflected in the manifest or SKILL.md as a prerequisite, which is misleading and risky.
Persistence & Privilege
always:false (normal) and disable-model-invocation:false (default autonomous invocation allowed). Autonomous invocation is the platform default; combine that with the skill's ability to sign transactions (if a private key is provided) and you get a larger blast radius. The skill does not request permanent presence or modify other skills' configs.
What to consider before installing
Do not provide your XPR private key to this skill until the author fixes inconsistencies and you fully understand the runtime behavior. Specific concerns: (1) The skill's manifest (skill.json) declares no required env vars, but the code requires XPR_PRIVATE_KEY, XPR_ACCOUNT, and XPR_RPC_ENDPOINT for any write operations. This means write tools will attempt to use your private key if you set those env vars — the skill should explicitly declare that requirement and mark write tools as optional. (2) The package dynamically imports '@proton/js' but dependencies aren't declared; ask the author to list dependencies or provide an install spec. (3) SKILL.md claims strong safety rules (confirmed:true, don't auto-execute proposals) — verify the runtime enforces them and that the agent platform will surface confirmation prompts. Recommended actions before installing: ask the publisher to update skill.json to list required env vars and dependencies, provide explicit documentation on when and how the private key is used, and make write tools opt-in; run the skill in an isolated test agent with no private key to validate read-only behavior; if you must enable writes, prefer using a time-locked or limited-signing key and keep the key out of broad environment scope (use ephemeral signing service or hardware wallet if possible).

Like a lobster shell, security has layers — review code before you run it.

blockchainvk973zcv2c6512bamgfbafkzpz5813p7wdefivk973zcv2c6512bamgfbafkzpz5813p7wlatestvk972sj52xeb6ft8699d1szgf8h815j18swapvk973zcv2c6512bamgfbafkzpz5813p7wxprvk973zcv2c6512bamgfbafkzpz5813p7w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments