ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

jovay-interaction

v0.0.1

Skill for interacting with Jovay or Ethereum network using jovay-cli

0· 43·0 current·0 all-time
by@ryogawan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires wallet
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill is an instruction-only wrapper around the jovay-cli. It declares the jovay binary and suggests installing @jovaylabs/jovay-cli via npm, which aligns with the described capability (wallet management, transfers, bridge ops, contract calls). There are no unrelated credentials, binaries, or config paths requested.
Instruction Scope
SKILL.md instructs the agent to run jovay CLI commands that require private keys (--sk) and may broadcast transactions. Asking for a private key is coherent for a wallet CLI, but the document also shows patterns that put private keys on command lines (e.g., --sk) which can leak via shell history or process listings. The instructions allow using custom RPCs and broadcasting transactions; that is expected but increases risk if keys are provided to the agent or if the agent runs autonomously.
Install Mechanism
There is no install spec executed by the platform (instruction-only), but the SKILL.md metadata suggests installing @jovaylabs/jovay-cli from npm. Installing a CLI from npm is a common, expected mechanism for this use case, but it carries typical supply-chain risk if the npm package or maintainer is unverified. No arbitrary download URLs or extraction are used.
Credentials
The skill does not request environment variables or other credentials in the registry metadata, which is proportionate. However, its runtime patterns rely on supplying private keys (via --sk or encrypted wallet options). Supplying a raw private key on the command line or to an agent can expose secrets; the SKILL.md suggests encryption options but does not enforce safe handling guidance.
Persistence & Privilege
always is false and there are no install scripts or config paths that would grant persistent elevated privileges. The skill can be invoked autonomously by default (platform normal), which is expected for a CLI integration but means an agent given access to a private key could sign/broadcast transactions without additional user prompts.
Assessment
This skill is coherent for interacting with Jovay via jovay-cli, but double-check the following before installing or using it: - Trust and origin: the skill's source/homepage is not provided here. Verify you are installing the official @jovaylabs/jovay-cli package (check the npm package page, repository, and maintainers) before running npm -g installs. - Secrets handling: the CLI accepts private keys via --sk (command-line flag). Avoid pasting raw private keys on command lines or into agents: command history and process lists can leak them. Prefer encrypted wallets, hardware wallets, or temporary wallets with minimal funds for testing. - Broadcasting risk: the skill's instructions include --broadcast and bridge/transfer commands. If you supply a private key to an agent or allow autonomous invocation, the agent could sign and submit transactions. Only enable autonomous usage if you trust the skill and have constrained the key's permissions/funds. - Supply-chain caution: installing an npm CLI is common but not risk-free. Inspect the npm package repo, release notes, and maintainers, or install from a known-good release/tag. - Mitigations: use a dedicated low-value wallet for experimentation, use RPC endpoints you trust, prefer encrypted key storage (--enc) or hardware wallets, and do not store long-term secrets in the agent or in plain shell history. If you can provide the package repository or homepage, that would raise confidence and allow a more precise assessment.

Like a lobster shell, security has layers — review code before you run it.

latestvk9771nyakkq7fkp34xxz6rkm9984hp46

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔧 Clawdis
Binsjovay

Comments