Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
jovay-dapp
v0.0.1Full-stack dApp generation skill for Jovay blockchain — from requirements gathering to contract deployment and frontend debugging
⭐ 0· 87·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The required binaries (jovay, git, node, npx) and the steps (init, build, deploy, run frontend) line up with a dApp generation/deployment skill. The metadata inside SKILL.md even suggests installing @jovaylabs/jovay-cli, which is coherent with the stated purpose.
Instruction Scope
SKILL.md instructs the agent to initialize wallets, check balances, request airdrops, clone a GitHub template, write contracts, run Hardhat tests, and deploy to testnet. It also references reading a project .jovay/.env and using DEPLOYER_PRIVATE_KEY and JOVAY_TESTNET_RPC_URL in hardhat config — actions that touch sensitive credentials and local config. The instructions do not overreach beyond the dApp workflow, but they do imply reading/transmitting secrets and making network calls that should have been explicitly declared.
Install Mechanism
The skill is instruction-only (no install spec in registry), which minimizes direct file writes by the skill bundle. However SKILL.md metadata includes an npm install suggestion for @jovaylabs/jovay-cli (global npm). Installing a CLI via npm is typical for this use case but carries the usual trust considerations for third-party npm packages.
Credentials
Registry metadata declares no required env vars, but the runtime instructions and example hardhat config explicitly reference sensitive variables (DEPLOYER_PRIVATE_KEY, JOVAY_TESTNET_RPC_URL) and a .jovay/.env file with project/template info. The skill will need wallet credentials or access to a configured jovay wallet to deploy; failing to declare this mismatch is a notable omission and increases risk of accidental secret exposure.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. Its operations create a project directory and local config files (.jovay/.env) which is normal for a project scaffold; it does not request system-wide persistence or modification of other skills.
What to consider before installing
This skill appears to implement an end-to-end dApp workflow, but it expects you to have a configured Jovay wallet and to provide deployment credentials (private key or wallet access) and an RPC URL even though those secrets are not declared in the skill metadata. Before installing or running it: (1) do not paste private keys into chats; prefer configuring a local wallet via the jovay CLI and use DEPLOYER_PRIVATE_KEY only in a secure environment variable or an encrypted local .env file; (2) use a throwaway testnet wallet with minimal funds for development; (3) confirm the exact GitHub template URL the skill will clone and review that template code before running; (4) if you need to install @jovaylabs/jovay-cli, verify the npm package source and maintainers; (5) ask the author to explicitly list required env vars (DEPLOYER_PRIVATE_KEY, JOVAY_TESTNET_RPC_URL, etc.) in the skill metadata and to document any data the skill transmits off-system. These steps reduce risk of accidental secret disclosure or unintended deployments (especially to mainnet).Like a lobster shell, security has layers — review code before you run it.
latestvk979frcnxqk9gkbx1a6ppry4a584gf0e
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🚀 Clawdis
Binsjovay, git, node, npx