ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dev Glue

v1.0.0

JSON transformation, schema validation, text diffing, document conversion. Four developer utility micro-services. Use for data transformation, validation, an...

0· 56·0 current·0 all-time
by@renoblabs
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (JSON transform, validation, diff, conversion) aligns with the listed endpoints and example request/response payloads. However the SKILL.md references a payment model (x402 / USDC on Base) and paths (/x402s/...) without providing a host, API endpoint base URL, or any information about required credentials, which is inconsistent with a usable service description.
!
Instruction Scope
The instructions tell the agent to POST data to external endpoints (/x402s/...), implying network calls and payment. They do not specify a hostname, authentication method, or whether data is stored. That means the agent (or user) would be asked to send potentially sensitive JSON/text to an unspecified external service for a fee — a clear scope and privacy concern.
Install Mechanism
No install spec and no code files are present; this instruction-only skill does not write code to disk or install third-party packages, which minimizes local install risk.
Credentials
The skill declares no required environment variables or credentials. That is inconsistent with its payment model: a paid crypto-based API typically requires keys or a wallet; the absence of declared credentials is an unexplained omission and could indicate incomplete metadata or hidden requirements.
Persistence & Privilege
The skill does not request always:true or elevated persistence. Default autonomous invocation is allowed (platform default) but does not by itself increase concern. Combined with external paid endpoints, autonomous invocation could increase risk, but no direct privilege escalation is requested here.
What to consider before installing
This skill describes four paid micro‑services but omits the service host, source/homepage, privacy/storage policy, and any authentication details. Before installing or using it, ask the provider for: (1) the base URL(s) and TLS/hosting proof (e.g., official domain/GitHub repo), (2) authentication and billing flow (how USDC on Base payment is authorized and which keys/wallets are required), (3) data retention/privacy policy (is your JSON/text stored or logged?), and (4) an explicit API key/credential requirement declared in the skill metadata. Until those are provided, avoid sending sensitive data or enabling autonomous use — the current metadata is insufficient to trust where your data would go or how payments would be handled.

Like a lobster shell, security has layers — review code before you run it.

latestvk9765hfhfmm8e686zq1m2e0nx184m6z2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments