ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Security Defense Line 安全防线

v2025.4.7

安全防线 - 全方位安全防护与威胁防御系统。 当用户需要以下功能时触发此skill: (1) 智能合约安全审计与漏洞检测 (2) 钱包安全检测与防护 (3) 交易安全验证与风险预警 (4) 钓鱼网站/诈骗检测 (5) 私钥/助记词安全管理 (6) 多签钱包配置与管理 (7) 安全事件响应与应急处理 (8) 安全策...

0· 292·0 current·0 all-time
by@shenmeng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the provided scripts: contract auditor, wallet guardian, tx validator, phishing detector, multisig manager, incident responder and a monitor. Those files implement features described in SKILL.md (static checks, simulations, playbooks). However metadata and code include a SkillPay billing integration (payment.py and _meta.json) that is not declared in the skill requirements section — billing/credentials are not listed in the top-level 'Required env vars' even though the skill expects them. This mismatch is unexpected and notable.
Instruction Scope
SKILL.md instructs running local Python scripts (no opaque remote endpoints in the workflow). The scripts are largely self-contained simulations and local analyses, but they call external OS tools (e.g., slither/mythril via subprocess) and reference runtime configuration values (e.g., TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, SMTP settings) in examples. SKILL.md does not declare these required env vars. The billing message in SKILL.md also directs users to pay via SkillPay — the runtime billing behavior (charging attempts) is implemented in payment.py.
Install Mechanism
There is no network-based install spec (no downloads, no extract). The skill is instruction + bundled Python code (no installer). That reduces supply-chain install risk. Note: some scripts invoke external binaries (slither, mythril) via subprocess; those tools are not installed by the skill and must exist in the environment for some features to work.
!
Credentials
Several environment/config items are used but not declared as requirements: payment.py and _meta.json reference SKILLPAY_API_KEY and SKILLPAY_USER_ID (billing), SKILL.md examples reference TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID and SMTP settings. The biggest red flag: payment.py contains a hard-coded BILLING_API_KEY (a long secret-like token) baked into source. The skill requests billing actions (charging users) and will call an external billing API using that embedded key and the SKILLPAY_USER_ID env var — this is disproportionate and a maintenance/secret-management issue and could have privacy/financial implications.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request permanent presence nor declare modifications to other skills or global agent settings. The code does not appear to persist configuration to other skill configs. Autonomous invocation is allowed (platform default) but is not by itself an extra risk given the other concerns.
What to consider before installing
Key points to consider before installing or running this skill: - Billing and credentials: _meta.json and payment.py indicate SkillPay billing is required, but the top-level 'required env vars' are empty. Confirm which environment variables you must provide (SKILLPAY_USER_ID, SKILLPAY_API_KEY?) and how billing works. Do not provide wallet/private keys to the skill. - Hard-coded secret: payment.py contains a baked-in BILLING_API_KEY token in source. This is poor practice and could be abused by the publisher. Ask the author to remove embedded keys and rely on configured environment secrets instead. Consider this an immediate red flag until explained. - Undeclared env vars and config: SKILL.md config examples reference TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, and SMTP credentials. These are sensitive; verify where they are read and add explicit declarations before running. - Network & external tools: Some scripts call external tooling (slither, mythril) via subprocess. These tools run with your environment privileges and could execute arbitrary code if compromised. Only run in a sandbox or on a non-production machine after reviewing dependencies. - Review code before use: The bundled Python scripts are largely simulation/self-contained but should be code-reviewed for any hidden network calls, filesystem reads/writes, or attempts to read private keys from disk. Search for any uses of os.environ, open(), subprocess.run, and any http requests besides the billing endpoint. - Test safely: If you must evaluate functionality, run the skill offline or in an isolated environment (container/VM) with no real credentials or private keys. Replace or remove billing logic (or provide a test account) if you do not want automatic charging attempts. If the publisher can (1) remove embedded API keys, (2) clearly declare required env vars and why they are needed, and (3) document which scripts call external tools and what permissions they need, the inconsistencies would be resolved and the skill would be far less suspicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e7h3nkv11hwpzc0n2e51hnx84b1xf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments