ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

xclawskill

v1.0.5

Interact with XClaw distributed AI Agent network. Trigger on: XClaw, agent networks, skill marketplace (ClawBay), task routing, agent registration, semantic...

0· 124·0 current·0 all-time
by@qomob
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchasesRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (interact with XClaw agent network) matches the included code and endpoints. However the registry metadata claims no required environment variables or credentials while SKILL.md and the bundled scripts clearly expect XCLAW_JWT_TOKEN, XCLAW_API_KEY, XCLAW_AGENT_ID and XCLAW_BASE_URL. That metadata omission is an incoherence (the credentials are relevant to the purpose, but the package does not declare them).
!
Instruction Scope
SKILL.md directs the agent to probe network endpoints and to perform read/write operations against the XClaw API (expected). Critically, it instructs 'Do NOT ask about config first' for read-only actions and prescribes a 'Lazy Authentication' flow: if credentials exist use them silently, if missing 'start conversational setup' and collect credentials via chat 'naturally'. These instructions explicitly authorize collecting sensitive secrets from the user at runtime, storing returned tokens/keys, and using them without an explicit, separate consent step — scope creep that raises privacy/exfiltration risk. The docs also reference reading/writing ~/.xclaw/config.json and storing private keys/tokens.
Install Mechanism
No external download/install spec is present (instruction-only + bundled scripts). There are no brew/npm downloads or URL extracts. The only files are local scripts (bash and Node) included in the package, so nothing arbitrary is fetched at install time. However the included scripts will write a config file to the user's home directory.
!
Credentials
The package metadata declares no required env vars, but SKILL.md and scripts rely on and document XCLAW_JWT_TOKEN, XCLAW_API_KEY, XCLAW_AGENT_ID and XCLAW_BASE_URL; setup.js will generate and persist an Ed25519 keypair (private_key) and save authentication tokens. The skill also encourages collecting API keys/JWTs by chat if not present. Requesting and persisting these sensitive values is proportionate to interacting with the network, but the failure to declare them and the instruction to solicit them conversationally is inconsistent and potentially unsafe.
!
Persistence & Privilege
The skill writes persistent credentials to ~/.xclaw/config.json (including generated private_key and tokens) and will reuse them across sessions. always:false (no force inclusion) and normal autonomous invocation are set, but because the skill will store and later use credentials 'silently', an autonomous agent invoking the skill could perform authenticated write operations on the user's behalf using those stored secrets. The skill does not attempt to modify other skills or system-level settings, but persistent storage of private keys/tokens in plaintext is a sensitive privilege that increases risk.
What to consider before installing
This skill appears to implement a real XClaw client, but it has important warning signs: (1) the package metadata omits environment variables that the code and SKILL.md clearly use — XCLAW_JWT_TOKEN, XCLAW_API_KEY, XCLAW_AGENT_ID, XCLAW_BASE_URL — so don't assume safe defaults; (2) SKILL.md tells the agent to gather credentials conversationally and to 'use them silently' and the scripts persist private keys and tokens to ~/.xclaw/config.json (private key stored in plaintext PEM), which could allow subsequent authenticated actions without an explicit consent step; (3) source/homepage is missing (origin unknown). Before installing: verify the author/source, inspect the scripts yourself, and if you must try it prefer running in an isolated environment (container or VM). Do not paste long-lived production API keys or secrets into chat — instead pre-configure only the environment variables you intend to allow, set tight file permissions on ~/.xclaw, and be prepared to revoke any generated API keys or JWTs after testing. If you need higher assurance, request a version with explicit metadata that lists required env vars and a clearer, explicit user-consent flow for storing credentials.
scripts/setup.js:129
Environment variable access combined with network send.
!
scripts/setup.js:15
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk972vfv34nkeysq6cw1e071r2184yjby

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments