Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bags

v2.0.1

Bags - The Solana launchpad for humans and AI agents. Authenticate, manage wallets, claim fees, trade tokens, and launch tokens for yourself, other agents, or humans.

⭐ 2· 2.4k·0 current·0 all-time

by@ramyodev

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The name/description (Solana launchpad: auth, wallets, claim fees, trade, launch) align with the provided instructions and endpoints. Requiring JWTs, API keys and private keys is expected for signing/submitting Solana transactions. However the docs also instruct using a Moltbook API key and storing several sensitive credentials locally (JWT, API key, private key) — these are expected for the stated purpose but increase sensitivity and should be explicit in metadata (they are not).

Instruction Scope

The SKILL.md and related files instruct the agent/user to: export private keys via the Bags API, store JWT/API keys and wallet/private keys in plaintext files under ~/.config/bags, create a local signing script that will read private keys, and perform automated 'heartbeat' checks that read wallet balances and claimable positions. They also include an auto-update routine that fetches skill files from https://bags.fm and writes them to ~/.bags/skills without any signature verification. Those behaviors go beyond simple API usage and materially expand the skill's data access and write-scope.

Install Mechanism

There is no formal install spec (instruction-only), but the runtime docs instruct users to curl remote files from https://bags.fm into ~/.bags/skills and to npm install dependencies in ~/.config/bags — effectively writing code to disk. Notably, the wallets.md recommends installing a Solana CLI from a non-official-looking URL (https://release.anza.xyz/stable/install) rather than the official upstream; that is unexpected and risky. The auto-update flow downloads and replaces skill files silently from bags.fm without integrity checks.

Credentials

The skill expects and instructs the user to acquire and persist sensitive credentials (Moltbook API key, Bags JWT token, Bags API key, wallet private keys). Those credentials are necessary for the core features (auth, signing, submitting txs), so requesting them is proportionate to functionality — however the docs encourage storing them together in one file and exporting private keys programmatically. This raises a high-risk credential-exfiltration surface if the update or heartbeat mechanisms are abused.

Persistence & Privilege

Although the skill is not marked always:true, its guidance actively creates persistent artifacts: ~/.config/bags/, ~/.bags/skills/, sign-transaction.js, npm-installed dependencies and heartbeat-state.json. The heartbeat includes a silent auto-update that will fetch and overwrite skill files from the remote site. That gives the skill (or any actor who can modify the remote site) an effective persistent update channel and a way to inject new instructions/code into the user agent environment without signature checks.

What to consider before installing

This skill appears to implement the advertised Bags launchpad functionality, but it requires handling very sensitive secrets (JWT, API key, wallet private keys) and includes a silent auto-update and non‑standard installer recommendations. Before installing: - Treat private keys and API tokens as extremely sensitive: prefer ephemeral signing flows, hardware wallets, or local-only signers rather than exporting private keys into files or environment variables. If you must export a key, restrict file permissions and remove keys immediately after use. - Disable or modify the auto-update behavior. The heartbeat's silent 'curl https://bags.fm/...' update has no integrity verification and could replace instructions or introduce malicious code. Only install updates from a verifiable repository (signed releases or trusted VCS). Do not allow automatic overwrites of ~/.bags/skills without review. - Do not run installers from unknown hosts. The wallets.md suggests installing Solana CLI from release.anza.xyz instead of the official upstream; verify the installer origin and use only official, signed installers. - Review sign-transaction.js and any npm dependencies before running npm install. Consider running the signer in a restricted environment and auditing @solana/web3.js/bs58 versions used. - If you proceed, segregate credentials (different API keys for trading vs claiming), rotate keys after first use, and monitor wallet activity for unexpected outgoing transfers. What would change my assessment: presence of a public, reputable source repository (e.g., GitHub org with signed releases), release/signature verification for skill files, a documented non-export signing flow (e.g., ephemeral or hardware signing), and removal or safe implementation of auto-update (signed updates or opt-in only). In the absence of those mitigations, treat this skill as potentially risky and prefer manual, audited use rather than automatic installation.

Like a lobster shell, security has layers — review code before you run it.

latestvk972dbkq5hn44f6g8djcjr5fqs80dape

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Bags

License

Comments