Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
web5 cli
v0.1.2Use when working with Web5 CLI tool for decentralized identity, CKB wallet, DID management, PDS data operations, account creation, posting, profile updates
⭐ 0· 353·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description and provided Python scripts align with a Web5 CLI account lifecycle helper (create/destroy account, PDS interactions). However the skill metadata declares no required binaries or credentials even though SKILL.md and the scripts assume the 'web5-cli' binary is installed (SKILL.md suggests `npm install -g web5-cli`). That mismatch is sloppy and should be resolved by the author.
Instruction Scope
The runtime instructions and included scripts instruct the agent to run many web5-cli commands that access local keystore and wallet files (~/.web5-cli/signkey, ~/.web5-cli/ckb-sk) and to write ~/.web5-cli/account.json (stores username, DID, didkey, address, PDS domain and potentially tokens). The SKILL.md had a pre-scan 'base64-block' prompt-injection signal — an instruction-only doc embedding encoded or injected content can attempt to manipulate agents. While the scripts do not show explicit exfiltration, the combination of embedded prompt-injection patterns and operations that handle private keys is a material concern.
Install Mechanism
There is no install spec for the skill itself (instruction-only), which is low-risk. The README tells users to install 'web5-cli' via npm; that is normal for this functionality. The skill does not contain an automated download/execute install step that would fetch arbitrary code.
Credentials
The skill declares no required environment variables or credentials, but uses CKB_NETWORK (optional) and accesses local key/wallet files via web5-cli. Access to private keystore and wallet files is expected for a wallet/DID manager, but because secrets and tokens may be written to ~/.web5-cli/account.json, the skill should explicitly document and justify this sensitive access. The lack of declared required binaries/credentials is an omission.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide privileges. It writes and reads files under ~/.web5-cli and creates temporary files, which is within scope for an account management tool. Autonomous invocation is allowed (platform default) but not combined here with an always:true or other high-privilege requests.
Scan Findings in Context
[base64-block] unexpected: A base64-block pattern was detected in SKILL.md. Encoded blocks are not expected in a CLI usage doc and can be used for prompt-injection or to hide instructions. Inspect the SKILL.md content for embedded/encoded payloads before trusting the skill.
What to consider before installing
What to consider before installing/running: 1) Source trust: the skill has no homepage and the registry owner is unknown — verify the npm 'web5-cli' package author and checksum before installing. 2) Sensitive files: the scripts and CLI will access and may write sensitive keys and tokens in ~/.web5-cli (signkey, ckb-sk, account.json). Back up and protect these files; consider running the workflow in a sandbox. 3) Prompt-injection: SKILL.md contains a detected base64-like block — inspect the full SKILL.md for any encoded text or hidden instructions and remove/clean them. 4) Run audit: review the included Python scripts yourself (they mostly call web5-cli and parse JSON; note minor bugs referencing undefined variables in error paths). 5) Least privilege: do not run as a privileged user; limit network exposure and validate the PDS host you pass to commands. If you are unsure about the package provenance or the encoded content, do not install or run these scripts.Like a lobster shell, security has layers — review code before you run it.
latestvk978f36e6kes0yrpsj2zj2dfxh824pzp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.