ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sponge Wallet

v0.1.2

Manage crypto wallets, transfers, swaps, and balances via the Sponge Wallet API.

0· 1.7k·0 current·0 all-time
byRishab Luthra@rishabluthra
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and required credential (SPONGE_API_KEY) line up with a REST-API-only crypto wallet skill. No unrelated binaries or extra cloud creds are requested.
!
Instruction Scope
SKILL.md instructs agents to call many wallet endpoints, to store the API key and claim info in ~/.spongewallet/credentials.json, and to use an 'agent-first' registration flow that returns an apiKey immediately. The skill asks agents to send claim URLs to humans and optionally post tweet text. The instructions reference reading and writing a home-folder file (credentials.json) even though the registry metadata lists no required config paths.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest install risk.
Credentials
Only SPONGE_API_KEY is required (proportionate). However, SKILL.md also expects/encourages reading/writing ~/.spongewallet/credentials.json and exporting SPONGE_API_URL at runtime; that file path is not declared in the registry metadata, creating a metadata/instruction mismatch that users should be aware of.
!
Persistence & Privilege
always:false (good), but the instructions explicitly recommend agent-first registration which returns an API key immediately and to persist it locally. Combined with normal autonomous invocation (disable-model-invocation: false), an agent could act with the key before a human claims or approves — this increases the blast radius for a misbehaving or compromised skill.
What to consider before installing
This skill appears to do what it says (manage wallets via the Sponge Wallet API), but pay attention before installing: 1) SKILL.md tells agents to use an 'agent-first' registration flow that returns an API key immediately — that means an agent could perform transactions before a human explicitly claims the wallet. If you require human approval, prefer the standard device flow. 2) The skill instructs writing the API key to ~/.spongewallet/credentials.json (and exporting it). Confirm you are comfortable storing a live crypto API key on disk; consider using least-privilege keys or isolated accounts and rotate keys frequently. 3) The registry metadata did not declare the ~/.spongewallet config path even though the instructions use it — treat that as a minor inconsistency and verify how your agent runtime will handle the file. 4) Ensure the SPONGE_API_KEY you provide has only the permissions you expect; if possible test on testnet keys first. 5) Verify the skill's source/homepage before granting any live keys. If you need stricter guarantees (human-in-the-loop for any transfer or disabling agent-autonomy), require those controls before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9760sxnw8kbnjxn132kzh705180qp8g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧽 Clawdis
EnvSPONGE_API_KEY
Primary envSPONGE_API_KEY

Comments