ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Near Name Service

v1.0.0

Manage NEAR Name Service (.near domains) - check availability, register, resolve, and manage names.

0· 983·0 current·0 all-time
by@shaiss
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, description, SKILL.md, and scripts all implement NEAR Name Service operations (RPC queries and invoking near CLI). However the registry metadata declares no required binaries or env vars while the README and SKILL.md explicitly expect NEAR CLI and Node to be present — this mismatch is unexpected and should have been declared.
Instruction Scope
Runtime instructions only use NEAR RPC and the NEAR CLI to query and register names. The SKILL.md does not instruct reading unrelated files or sending data to external endpoints outside NEAR RPC/CLI. The code does execute shell commands (near call), which is expected for this purpose.
!
Install Mechanism
There is no install spec despite a Node script and package.json being present. The skill will require a Node runtime and NEAR CLI on the host to function; neither are declared in the skill metadata. Lack of an install or declared runtime is a delivery/compatibility omission and increases risk of surprises at runtime.
Credentials
The skill declares no required env vars, but SKILL.md recommends setting NEAR_ACCOUNT and the script reads process.env.NEAR_ACCOUNT. Registration uses the local NEAR CLI signer (local keys) implicitly. These are proportional to the task, but the skill does not declare or explain the need for NEAR CLI-managed credentials or how keys/signers are used.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. It does not modify other skills or system-wide settings.
What to consider before installing
What to consider before installing: - Functionality: The skill actually implements NEAR RPC calls and runs the NEAR CLI (via shell exec), which fits its stated purpose. - Missing declarations: The registry metadata does not list required binaries, but you need Node.js and the NEAR CLI installed and configured locally. Expect it to use your NEAR CLI keys/signers when performing registrations. - Review & test: Inspect the included script (scripts/nameservice.js) yourself (it’s short) and test on testnet first. The code defaults to testnet (isTestnet = true) — that’s safer for initial testing. - Potential bug: The register command builds the contract call argument as '{"account_id":"<fullName>"}', which appears to set the name itself as the account_id rather than the target account; this looks like a logic bug and could cause unintended behavior during registration. Ask the author to clarify or fix before using on mainnet. - Trust & keys: Because the script calls your NEAR CLI, it will use whatever keys your NEAR CLI has access to. Only run it if you trust the skill author and you understand which account will be charged for registration. - If you want lower risk: require the author to update metadata to declare Node/NEAR CLI requirements, provide an install spec or explicit instructions, and fix the registration argument logic. After that, the package would be closer to 'benign'.

Like a lobster shell, security has layers — review code before you run it.

latestvk9756027tag1geh9b02ptv2z5d80s2sh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments