Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Graph Aave Mcp
v4.0.7Aave V2/V3/V4 MCP server — 40 tools across 16 Graph subgraphs + Aave V4 API. Covers reserves, positions, cross-chain liquidation risk monitoring, governance,...
⭐ 0· 17·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to provide Aave V2/V3/V4 tools via The Graph and Aave V4 API, which aligns with the instructions (queries to The Graph, npm package named graph-aave-mcp). However the registry metadata omitted the environment variable and the SKILL.md requires a GRAPH_API_KEY and implies npm is needed — a mismatch between declared requirements and runtime instructions.
Instruction Scope
SKILL.md's runtime instructions are focused: install the npm package, run the binary, and set GRAPH_API_KEY. It does not instruct reading arbitrary system files or unrelated environment variables, nor sending data to unexpected endpoints beyond The Graph/npm. No broad data-collection steps are present in the instructions.
Install Mechanism
There is no install specification in the registry, yet SKILL.md instructs users to install an npm package globally (npm install -g graph-aave-mcp). Installing an external npm package executes remote code from the npm registry — a moderate-risk action. The SKILL.md provides npm and GitHub links (helpful), but the absence of an install spec in the skill bundle and no pinned release info means the installer behavior and provenance aren't enforced by the registry metadata.
Credentials
SKILL.md requires a single GRAPH_API_KEY for The Graph, which is appropriate for the claimed functionality. However the registry metadata claims 'Required env vars: none' and 'Primary credential: none', creating an inconsistency. Requesting one API key is proportional, but the metadata mismatch is confusing and could lead to unexpected runtime prompts.
Persistence & Privilege
The skill does not request always:true, does not include install-time system modifications in the bundle, and is user-invocable. Autonomous invocation is allowed by default (normal). There is no indication the skill will attempt to modify other skills or agent-wide settings.
What to consider before installing
Before installing: verify the npm package and GitHub repository (maintainer, stars, recent commits, package author) to ensure the code is trustworthy. Note that SKILL.md asks you to run 'npm install -g graph-aave-mcp' which will execute code downloaded from npm — consider installing in a sandbox/container or vetting the package source first. Confirm the package name matches the linked GitHub repo and check package versions and release notes. Also set a dedicated GRAPH_API_KEY (The Graph) with minimal permissions and avoid using broader credentials. Ask the publisher to update registry metadata to declare GRAPH_API_KEY and an explicit install spec (including trusted source and version) to reduce risk.Like a lobster shell, security has layers — review code before you run it.
latestvk97eh55398e6h446a3r5gjm0r584k9xp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.