ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Solana Intelligence Solana智能分析

v1.0.0

Solana 链上智能分析与机会检测工具。用于分析 Solana 生态项目、检测新兴机会、追踪 Meme币趋势、监控链上数据和提供投资建议。当用户需要分析 Solana 生态、发现新项目、追踪链上机会、获取 Solana 市场情报或进行链上数据分析时触发此 Skill。

0· 51·0 current·0 all-time
by@shenmeng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name and analysis scripts (token_analyzer.py, ecosystem_monitor.py) align with a Solana analysis tool. However _meta.json and payment.py introduce a payment integration (pricing/apiKey) that is not documented in SKILL.md: the SKILL.md instructions show running analysis scripts with no mention of payment gating. The presence of an embedded SkillPay API key in both _meta.json and payment.py is disproportionate to the advertised, open analysis functionality and is not declared in the skill's requirements.
!
Instruction Scope
SKILL.md instructs running the included scripts and references public data sources. It does not mention contacting any payment API or requiring a payment check, yet payment.py exists and would contact api.skillpay.io to verify payment (and could accept a user wallet address). The runtime instructions therefore omit an external network/payment step that is present in the codebase, creating a hidden behavioral gap.
Install Mechanism
There is no install specification (instruction-only), which minimizes installation risk. However the skill bundles runnable Python scripts that perform outbound network calls; because no install step is declared, the scripts will run in the agent environment as-is (no packaged vetting). No third-party install downloads or archive extraction were observed.
!
Credentials
The skill declares no required env vars or credentials, but contains a hard-coded API key (sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2) in payment.py and _meta.json. This embedded secret is not justified by the SKILL.md instructions, and the code would use it to contact an external payment service. The skill also posts (optionally) a user wallet address and timestamp to that external endpoint — a data-exfiltration/privacy concern that was not disclosed in the documentation.
Persistence & Privilege
The skill does not request persistent 'always' inclusion, does not declare system-wide config changes, and only writes transient output files (e.g., /tmp/solana_overview_*.json). There is no evidence it modifies other skills or system agent settings.
Scan Findings in Context
[HARDCODED_API_KEY] unexpected: A long-looking bearer-style API key is embedded in both _meta.json and payment.py. An analysis skill that documents public APIs normally would not include a secret credential for a payment provider; embedding a private key in source is a secret-management/operational risk and not expected for the stated purpose.
[UNDECLARED_NETWORK_CALL_PAYMENT] unexpected: payment.py will POST to https://api.skillpay.io/v1/verify to verify payments and may include a user wallet address. This external payment verification is not documented in SKILL.md usage instructions and is therefore unexpected by a user following the docs.
What to consider before installing
What to consider before installing/running this skill: - Do not run the bundled scripts in an environment containing sensitive data or unlocked wallets without review. The scripts make outbound network calls and the repository includes a hard-coded SkillPay API key that will be used if payment.py is invoked. - The SKILL.md does not mention a paywall, but the code and _meta.json include payment logic and an embedded API key. Ask the publisher to explain the payment flow and why a secret key is included in the repo. Request removal of any embedded keys and that payment checks be documented explicitly. - If you need to run the analysis: run in a network-restricted sandbox or container, or disable/inspect payment.py first. Consider grepping the files for credentials and rotating/revoking any keys you control that appear here. - If you expect a free/open analysis tool, treat this skill as untrusted until the author clarifies the monetization and removes embedded secrets. If you plan to use the payment service, verify the skillpay endpoint's legitimacy independently and avoid providing real wallet addresses until you confirm privacy and handling of that data. Confidence note: The core analysis code appears coherent with the advertised purpose, but the undisclosed payment integration and embedded API key produce a significant trust mismatch — additional clarification from the author would raise confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e2svvfchgbeyxjegrhp36n584676z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments