Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Slv Benchmark
v0.13.15Run benchmark tests and connectivity checks for SLV endpoints using shredstream, grpc, or rpc with region-aware configuration and API key support.
⭐ 0· 92·0 current·0 all-time
byELSOUL LABO B.V.@poppin-fumi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and AGENT.md describe exactly the stated purpose (generating geyserbench configs, region-aware measurements, using an ERPC API key). However the provided skill.json lists system requirements (curl, optional geyserbench) while the registry metadata shows no required binaries — that's an internal inconsistency. Otherwise the resources the skill uses (local api.yml and a local benchmark binary) are coherent with benchmarking functionality.
Instruction Scope
Instructions explicitly tell the agent to read ~/.slv/api.yml for the ERPC API key and to run a local benchmark binary (geyserbench) if present. Both actions are reasonable for a benchmarking tool, but they allow the agent to read a file in your home directory (which may contain secrets) and to execute a local binary. There are no instructions to read unrelated config or to exfiltrate data, and the only network target mentioned is the expected erpc_url (https://edge.erpc.global).
Install Mechanism
This is instruction-only with no install spec and no code files; nothing will be downloaded or written by the skill itself. That minimizes installation risk.
Credentials
The skill requests no environment variables or credentials via the registry metadata, but it does expect an ERPC API key stored in ~/.slv/api.yml. Requesting the local config file is proportional to its function, but it is a form of secret access worth noting. No other unrelated credentials are requested.
Persistence & Privilege
The skill is not marked always:true and has no install actions that modify agent/system settings. It can be invoked autonomously per platform defaults, which is normal for skills; there is no evidence it requests persistent elevated privileges.
What to consider before installing
This skill appears to do what it says (generate geyserbench configs, check endpoints, and use an ERPC API key) but review these before installing:
- Confirm the source: the registry metadata shows limited provenance and the skill.json points at a GitHub repo; verify that repo and the author (ValidatorsDAO) are the expected maintainers.
- Be aware the agent will look for and read ~/.slv/api.yml to obtain an ERPC API key. If that file contains other secrets or you don't want the agent reading files in your home directory, do not install or remove/relocate the key beforehand.
- The skill will prefer to run a local benchmark binary (geyserbench) if present. Running a binary means arbitrary code execution on your host — ensure geyserbench is from a trusted source and you understand its behavior.
- Note internal inconsistencies: registry metadata lists no required binaries while skill.json declares 'curl' and optional 'geyserbench'; the version in skill.json (0.9.962) differs from the registry version (0.13.15) and the skill's homepage was listed as none while skill.json points to a GitHub page. These mismatches could be benign (packaging sloppiness) but merit verification with the publisher.
If you trust the publisher and are comfortable with the agent reading ~/.slv/api.yml and optionally executing geyserbench, the skill is functionally coherent. If not, ask the author to clarify the discrepancies and to provide a verified homepage/repository before proceeding.Like a lobster shell, security has layers — review code before you run it.
latestvk9771ydyynrtwmhckev1cw1fh983xfxj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.