ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Hypha Payment

v0.1.0

P2P agent coordination and USDT settlement via the Hypha Network. Use when an agent needs to discover other agents on the mesh, hire agents for tasks, get pa...

0· 563·0 current·0 all-time
by@pointsnode
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (P2P discovery, USDT settlement on Base L2) align with the included instructions and helper script. The SKILL.md only expects the hypha-sdk and optional RPC/provider configuration; nothing in the package asks for unrelated cloud credentials or system-level access.
Instruction Scope
Runtime instructions require creating/using a seed or private key (SeedManager / Wallet), discovering peers, announcing services, and sending on-chain payments — all consistent with the stated purpose. Two minor inconsistencies/risks to note: SKILL.md claims the Hypha Foundation runs a bootstrap node while references/network.md currently lists bootstrap nodes as 'localhost' (local-only), which is confusing; and the skill instructs embedding or printing seed phrases (sensitive material) which is functionally necessary but security-sensitive and should be handled carefully.
Install Mechanism
No install spec is embedded; the SKILL.md recommends pip install hypha-sdk from PyPI. That is a normal package install path. There are no downloads from arbitrary URLs or archive extraction in the skill bundle.
Credentials
The skill doesn't require any environment variables to function, but documents optional env vars (PRIVATE_KEY, WEB3_PROVIDER_URI, ESCROW_CONTRACT_ADDRESS, USDT_CONTRACT_ADDRESS). Those are appropriate for a wallet/payment integration but are highly sensitive — providing PRIVATE_KEY or a malicious WEB3_PROVIDER_URI would have direct security/financial consequences.
Persistence & Privilege
always is false and the skill does not attempt to modify other skills or system-wide settings. There is no persistent install artifact beyond the optional hypha-sdk dependency the user would install manually.
Assessment
This skill appears to do what it says (peer discovery + USDT payments) but handles private keys/seeds and connects to RPC/bootstrap endpoints, so: 1) Do not paste production private keys or seeds into examples — use an ephemeral/test key or a hardware wallet where possible. 2) Verify the hypha-sdk package and its GitHub source yourself (review code, pip package metadata, and contract addresses) before installing. 3) Test on Sepolia/testnet first (the bundle lists testnet contract addresses). 4) Be cautious when setting WEB3_PROVIDER_URI or bootstrap nodes (a malicious RPC/bootstrap node can intercept or misdirect transactions). 5) If you require a higher assurance, ask the author for a signed release or audit of the hypha-sdk and confirmation of the Foundation bootstrap endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk977wngqhwjgtz66637f9sg0hd81d7ss

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments