Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Avalanche Analytics AVAX生态分析
v1.0.0Avalanche (AVAX) 生态综合分析工具。提供 Avalanche 子网架构分析、DeFi 协议监控、项目评估、子网生态追踪和投资机会发现。当用户需要分析 Avalanche 生态、评估 AVAX 项目、监控子网发展或获取雪崩链情报时触发此 Skill。
⭐ 0· 19·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The included avalanche_monitor.py implements monitoring and validator-yield calculations consistent with the stated Avalanche analysis purpose. However, the package also contains a payment.py module and pricing metadata (_meta.json) with an embedded SkillPay API key and a pricing entry — a monetization feature not described or integrated in SKILL.md. That mismatch (monetization code present but not documented in the runtime instructions) is unexpected.
Instruction Scope
SKILL.md documents running several scripts (avalanche_monitor.py, subnet_analyzer.py, project_evaluator.py, validator_calculator.py) but only avalanche_monitor.py exists in the repository. SKILL.md does not mention payment enforcement, while payment.py implements verification logic that could gate usage. The monitor writes output to /tmp (a low-privilege path) which is reasonable, but the missing scripts and undocumented payment behavior expand the agent's effective scope unpredictably.
Install Mechanism
There is no external install spec or third-party download; the skill is instruction-only with bundled Python scripts. No installers, remote downloads, or extract steps are present — low install-surface risk.
Credentials
The skill declares no required environment variables, yet contains a hardcoded SkillPay API key in payment.py and _meta.json. Embedding a private API key in code is inappropriate and gives the skill the ability to make authenticated calls (and enforce or track payments) without revealing this need in SKILL.md or requires.env. The payment module optionally reads SKILLPAY_SKIP_VERIFICATION from the environment (test mode), but there is no documented, justified need for an embedded API key for Avalanche analysis.
Persistence & Privilege
The skill does not request persistent system privileges or always:true. It writes output to a temporary file under /tmp and does not modify other skills or global agent configuration. Autonomous invocation is allowed by default (not flagged on its own), but combined with the other concerns this increases potential impact.
Scan Findings in Context
[hardcoded-secret-api-key] unexpected: A SkillPay API key (sk_...) is hardcoded in payment.py and duplicated in _meta.json's pricing.apiKey. This is not required for offline analytics and is not documented in SKILL.md; it could allow the skill to make authenticated calls to an external payment API or leak usage information.
What to consider before installing
Before installing or running this skill: 1) Ask the author to explain the payment model and why a private SkillPay API key is embedded — this should not be in the distributed code. 2) Confirm whether the skill enforces payment at runtime and whether it will transmit any user identifiers (e.g., wallet addresses) to api.skillpay.io. 3) Request the missing scripts referenced in SKILL.md (subnet_analyzer.py, project_evaluator.py, validator_calculator.py) or remove their mentions if not provided. 4) If you decide to proceed, run the skill in a sandboxed environment and inspect network calls (especially to api.skillpay.io and pay.skillpay.io). 5) Prefer a version that removes hardcoded secrets, documents any paywall clearly, and declares required env vars (so you can control them). If you need help phrasing questions to the author or verifying a sanitized release, I can draft them.Like a lobster shell, security has layers — review code before you run it.
latestvk9737z5fv0hc13r7s4vy8r854s8466cw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.