ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

31Third Safe Rebalancer

v0.2.0

Policy-aware Safe portfolio rebalancing assistant for 31Third ExecutorModule.

0· 188·0 current·0 all-time
by@phips0812
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description match the included code (balancer, executor, policies, ABIs) and the SKILL.md. However the registry metadata declared 'Required env vars: none' and 'instruction-only', while the SKILL.md explicitly lists multiple required environment variables (SAFE_ADDRESS, CHAIN_ID, TOT_API_KEY, RPC_URL, EXECUTOR_MODULE_ADDRESS, EXECUTOR_WALLET_PRIVATE_KEY, etc.) and the repo includes full source and ABI files. That mismatch (metadata says no envs / instruction-only; package contains code and demands sensitive envs) is disproportionate and unexplained.
Instruction Scope
SKILL.md provides concrete CLI and execution steps (npm run cli commands, how to build approvals, decode/encode calldata, checkPoliciesVerbose, require scheduler==registry, etc.). The instructions are narrowly scoped to on-chain reads and executing rebalance batches, which is coherent with the stated purpose. However instructions require providing an executor private key for signing transactions, and recommend running npm scripts which will execute bundled code — both are legitimate for this use but increase risk and should be handled securely.
Install Mechanism
No installer spec in registry (instruction-only), but the skill bundle actually contains Node.js source, dist files, package.json and a package-lock. SKILL.md tells users to run 'npm install' and 'npm run build'. This is a moderate-risk pattern: installing npm deps executes third-party code and scripts. There are no external download URLs or extract steps, but running npm build/cli will execute the shipped code on the host.
!
Credentials
SKILL.md legitimately requires RPC_URL, CHAIN_ID, TOT_API_KEY, SAFE_ADDRESS, EXECUTOR_MODULE_ADDRESS and an executor private key for signing on-chain transactions. Those variables are appropriate for a rebalancer. The problem: the skill metadata did not declare any required env vars or primary credential. A skill that needs an executor private key should declare that as its primary credential so users know up-front. Requiring a private key is sensitive; ensure it's an executor-only key with limited permissions and not the Safe owner key. No unrelated credentials are requested.
Persistence & Privilege
The skill does not request 'always: true', does not claim to modify other skills or system-wide configs, and follows the normal autonomous-invocation defaults. No additional persistence or elevated platform privileges are requested in the manifest.
Scan Findings in Context
[prompt-injection/base64-block] unexpected: The static scanner flagged a 'base64-block' pattern in SKILL.md. The visible SKILL.md content does not show obvious base64 payloads, so this may be an artifact or hidden block elsewhere in the published SKILL.md. Base64 blobs in an instruction file are not expected for a rebalancer and deserve review to ensure no embedded opaque instructions or data are trying to influence runtime behavior.
What to consider before installing
This skill appears to implement the rebalancer it claims, but there are important mismatches and sensitive requirements you should address before installing: - Confirm metadata vs SKILL.md: the registry lists no required env vars and 'instruction-only', but SKILL.md and the package require many env vars and include Node code. Ask the publisher to correct the manifest to list required envs and the primary credential. - Protect private keys: the skill asks for an EXECUTOR_WALLET_PRIVATE_KEY. Never provide your Safe owner key. Use an executor key with strictly limited permissions, prefer an HSM/hardware signer or ephemeral signing account, and test in staging. - Audit the code & dependencies: the package includes many source/dist files and a package-lock.json. Review the code (or have a trusted reviewer do so) and inspect npm dependencies and any npm scripts before running npm install / npm run build. Running 'npm' will execute third-party code on your machine. - Investigate the scan-finding: ask the publisher to explain the base64-block scanner hit and provide a clean SKILL.md without opaque embedded blocks. If you can't locate the block, avoid using the skill until clarified. - Test in sandbox: exercise the CLI in read-only/smoke modes and on a testnet or staging Safe before any production run. Verify the execution semantics (scheduler==registry, checkPoliciesVerbose, approval flows) in a controlled environment. If the publisher can update the manifest to declare required envs and primary credential, and you or a reviewer confirm there are no hidden payloads and dependencies are safe, this skill is plausible to use — but do not supply high-privilege keys until those checks are done.
dist/tests/rebalance.test.js:325
Environment variable access combined with network send.
tests/rebalance.test.ts:351
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

alphavk97dhjv3k6wmmm2czk6wwywbfs8138j9latestvk974a47vcz3q2nwdmgw78am5d18338rg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments