Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
EvalLayer Evaluator
v1.0.0Evaluate crypto research quality via EvalLayer API. Extracts claims, scores accuracy, returns pass/fail verdicts with confidence scores. Use as quality gate...
⭐ 0· 69·0 current·0 all-time
byRyan Hall@ryanhall00
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (evaluate crypto research via api.evallayer.ai) matches the actual instructions and scripts which POST content to api.evallayer.ai. However there is an incoherence: the registry metadata at the top of the package claims no required env vars or binaries, while SKILL.md declares EVALLAYER_API_KEY and required bins (curl, jq). The included scripts actually use curl and python3 (to escape JSON) and do not use jq. This mismatch between declared requirements and actual usage is inconsistent and should be corrected/clarified.
Instruction Scope
The SKILL.md and scripts instruct the agent to POST research text to api.evallayer.ai (evaluate, reputation, intelligence endpoints). The scripts do not read local files or other credentials. This is within scope for a research-evaluation skill. Important: the SKILL.md explicitly states that submitted content is stored/aggregated for intelligence — so installing this skill will send content externally and it may be retained.
Install Mechanism
There is no install spec (instruction-only with bundled scripts), so nothing is downloaded or extracted during install. This is low-risk from an install-execution perspective. Note: the scripts require python3 at runtime (used for JSON escaping), but python3 is not declared in SKILL.md's required binaries; jq is declared but not used. No remote downloads or archive extraction are present.
Credentials
The only credential logically required is EVALLAYER_API_KEY to authenticate with the service, which is proportionate to the skill's stated purpose. But registry metadata earlier said no required env vars while the SKILL.md declares EVALLAYER_API_KEY as primaryEnv — this inconsistency should be resolved. Ensure you do not reuse a privileged API key across unrelated services; a dedicated, limited-scope key is recommended.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide config, and contains no install-time persistent components. It can be invoked autonomously by the agent (disable-model-invocation is false), which is the platform default — not by itself a concern unless combined with other red flags.
What to consider before installing
This skill appears to do what it says (send research text to api.evallayer.ai and return an evaluation), but there are several inconsistencies you should resolve or accept before installing: (1) SKILL.md requires EVALLAYER_API_KEY and declares curl and jq, but the package registry metadata lists no requirements — verify which is correct; (2) the bundled scripts use python3 for JSON escaping but python3 is not listed as a required binary; (3) jq is declared but not used — this could be sloppy packaging or a leftover. Operational cautions: submitted content is sent to api.evallayer.ai and explicitly stored/aggregated by the provider, so avoid sending sensitive or private data. Create and use a dedicated API key with minimal scope and monitor its usage. If you intend to allow autonomous agent invocation, be aware the agent could call the external API anytime it chooses; only enable that if you trust the provider and the agent workflow. For safety, test with the demo script first (which uses the demo endpoint) and inspect/modify scripts to match your environment (e.g., ensure python3 exists or replace with a different JSON-escaping approach). If possible, ask the skill author to correct the metadata and declared binaries before broad deployment.Like a lobster shell, security has layers — review code before you run it.
latestvk978vqst3pwpn21qfcq3csk9s583d2hj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.