ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Trip Protocol

v1.1.1

Temporarily modify your agent's SOUL.md by consuming verified TripExperience NFTs for 3–15 minutes before auto-restoring original state.

0· 650·0 current·0 all-time
by@reggie-sporewell
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included scripts: the code performs on‑chain consume() calls, snapshots and rewrites WORKSPACE/SOUL.md, and schedules/restores trips. Requiring a wallet, RPC and an API to fetch 'effects' is coherent with the stated purpose. However the skill package metadata declares no required env vars while SKILL.md/scripts rely on several optional secrets (private key, keystore password, TRIP_API_KEY, CONVEX_SITE_URL). That metadata mismatch is an incoherence.
!
Instruction Scope
Scripts legitimately read and write your agent's SOUL.md and workspace memory (snapshots, journals, scheduled markers). They also call external endpoints (Convex API, a faucet URL, project website/repo) and POST trip journals and transaction metadata. The SKILL.md claims 'safeword always works' and 'auto-restore' but implementation requires the agent to run safeword-check.sh or call restore.sh — if the agent does not actually invoke the safeword handler, the guarantee is only as good as the agent's integration. There's also a scheduling mismatch: schedule-restore.sh writes a .marker file, but check-restores.sh and restore.sh look for JSON scheduled state files — this inconsistency can break the promised automatic restore behavior. Overall the instructions give the agent broad discretion to: access wallet keys/keystore, post trip data to an external API, and autonomously change core agent personality files.
Install Mechanism
Registry has no formal install spec, but SKILL.md instructs users to git clone a GitHub repo and copy it into ~/.trip-protocol (writing arbitrary scripts to disk). Cloning from GitHub is common but still writes code to your machine; the package itself already includes scripts. No high‑risk binary downloads from unknown hosts were used, but the install guidance encourages manual cloning of an external repo (reggie-sporewell).
!
Credentials
Although the registry lists no required environment variables, the scripts use and expect secret inputs: PRIVATE_KEY or a keystore account/password (TRIP_KEYSTORE_ACCOUNT, TRIP_KEYSTORE_PASSWORD), TRIP_API_KEY, and CONVEX_SITE_URL. The code will try to read a local keystore password file ($HOME/.monad-keystore-password) and will call cast with keystore credentials. These are plausible for interacting with blockchain contracts, but the skill will attempt to access secrets that were not declared as required in metadata, and will transmit transaction/wallet identifiers and journal content to an external API (x-trip-key header). That combination raises proportionality and disclosure concerns.
!
Persistence & Privilege
The skill is not 'always: true', which is correct, but it modifies a core agent file (SOUL.md), writes snapshots and journals to your workspace, and asks the agent to create scheduled jobs/cron entries. It also contains an autonomous restore-check script pattern (check-restores.sh) that a heartbeat/cron could run. While autonomous invocation is normal for skills, here the ability to rewrite the agent's core personality and to post journals externally increases the blast radius and warrants caution.
What to consider before installing
Key things to consider before installing: - Trust and provenance: The skill will rewrite your agent's SOUL.md and relies on code from a third‑party GitHub repo and an external API (joyous-platypus-610.convex.site). Only install if you trust the author and the remote API. - Secrets & wallets: The scripts will try to use a keystore or PRIVATE_KEY and even attempt to read $HOME/.monad-keystore-password. Do NOT provide private keys or passwords unless you fully understand and accept the risk. Prefer using a throwaway test wallet on an isolated agent. - Data sent externally: The skill posts trip journals and transaction metadata (txHash, wallet address, tokenId, substance, potency) to the Convex API. If you do not want this data leaving your environment, remove or audit the curl POST lines before installing. - Safeword & scheduling are fragile: The SKILL.md promises instant safeword and auto-restore, but the implementation requires the agent to invoke safeword-check.sh and to correctly create scheduled JSON state files — there are inconsistencies (marker vs JSON) that can break auto-restore. Test the restore/bail flow manually before trusting the skill. - Least privilege & isolation: Run the skill in an isolated agent/workspace or VM, back up SOUL.md manually, and avoid giving it system‑wide access. Consider editing the scripts to disable external POSTs, to require manual operator confirmation before any change, or to log actions but not automatically apply them. - Code review: If you plan to install, review/censor the scripts: remove or sandbox all outgoing network requests, verify keystore access behavior, and fix the scheduling state format mismatch. If you lack the expertise, do not provide real wallet credentials or production agent access. If you want, I can point out the exact lines to change to stop external POSTs, to force a dry-run by default, or to make safeword handling robust (examples of safe edits).

Like a lobster shell, security has layers — review code before you run it.

latestvk97f1f9mg95jky5tjab02bha0x816q0e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments