ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

RustChain MCP

v0.3.0

Access RustChain blockchain wallets and tokens, BoTTube AI video platform features, and Beacon agent communication tools via a unified MCP server.

7· 245·3 current·4 all-time
byAutoJanitor@scottcjn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description claim a unified MCP server for RustChain, BoTTube, and Beacon; the code and README implement those features (HTTP endpoints, MCP tools, LangChain wrappers). That alignment is coherent. Minor mismatch: SKILL metadata declares no required env vars, but README and code expect environment variables for node and service URLs and optional API keys (e.g., BOTTUBE_API_KEY, MOLTBOOK_API_KEY).
!
Instruction Scope
SKILL.md only documents pip install and running the MCP server, and lists the tools. The repository, however, contains an evangelist_agent daemon (evangelist_agent.py) that will discover agents, post onboarding content, and send Beacon pings offering RTC tips—network-behavior not prominently documented in SKILL.md. Several runtime components perform outbound network calls to third-party endpoints; the agent can post content and ping other agents when run. This expands the runtime scope beyond passive query tools.
Install Mechanism
There is no explicit install spec in the skill bundle (SKILL.md suggests 'pip install rustchain-mcp'); the package includes full Python source and pyproject files. Installing from PyPI (as suggested) will pull the published package; the source here references a GitHub repo and PyPI. No arbitrary URL downloads or extract steps were found in the bundle, but you should verify the PyPI package contents and provenance before pip installing.
!
Credentials
The skill declares no required environment variables, but code and README rely on several environment variables (RUSTCHAIN_NODE, BOTTUBE_URL, BEACON_URL, RUSTCHAIN_TIMEOUT) and optional secret keys (BOTTUBE_API_KEY, MOLTBOOK_API_KEY, EVANGELIST_WALLET). Upload/posting tools require API keys. The bundle does not clearly declare these as required, which could lead users to accidentally provide secrets without understanding why. Additionally, HTTP clients in the code disable TLS verification (verify=False), which is a security risk for any secret-bearing requests.
Persistence & Privilege
The skill is not 'always: true' and does not request system-wide configuration changes. However, it includes an evangelist daemon that, if run, will periodically discover and ping other agents and post to external services—this can produce outbound traffic and automated messages. Autonomous model invocation is enabled by default (not flagged on its own) but combined with the evangelist behavior increases blast radius if the agent runs those flows unsupervised.
What to consider before installing
This package implements the RustChain/BoTTube/Beacon tools described, but several things deserve caution before installing: - Verify provenance: SKILL metadata lists 'source: unknown' though files reference a GitHub repo and PyPI. Confirm the PyPI package and GitHub repository match the code here. - Secrets and env vars: The code uses environment variables (RUSTCHAIN_NODE, BOTTUBE_URL, BEACON_URL) and optional API keys (BOTTUBE_API_KEY, MOLTBOOK_API_KEY). The skill did not declare these as required—only provide API keys if you trust the maintainer and the endpoints. - TLS verification disabled: The code sets verify=False for httpx/requests, which bypasses TLS cert checks. This makes network traffic vulnerable to man-in-the-middle attacks and increases risk if you provide credentials. - Automated network behavior: evangelist_agent.py will discover agents, post onboarding content, and send Beacon pings (offers/tips). That behavior is potentially spammy and will produce outbound network traffic—run it only in an isolated environment and after reviewing what it posts/whom it contacts. - Default node/IP: The default RUSTCHAIN_NODE is a raw IP (50.28.86.131). Confirm that is an intended and trusted node; consider overriding to a known, vetted node URL. If you plan to use this skill: - Inspect the published PyPI package contents and upstream GitHub repo to ensure they match. - Run in an isolated environment (container/VM) first. - Never supply API keys or secrets until you confirm trust; if you must, consider scoped, low-privilege keys and monitor their use. - Consider patching the code to enable TLS verification (remove verify=False) before supplying secrets or using in production. If you want, I can list the exact lines where verify=False is set, show the env vars the code reads, or help craft safer environment overrides.

Like a lobster shell, security has layers — review code before you run it.

agent-economyvk9700y4348yj0xs277353nmfa982jyt3beaconvk9700y4348yj0xs277353nmfa982jyt3bottubevk9700y4348yj0xs277353nmfa982jyt3latestvk9700y4348yj0xs277353nmfa982jyt3mcpvk9700y4348yj0xs277353nmfa982jyt3rustchainvk9700y4348yj0xs277353nmfa982jyt3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments