ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

a2a-Market-Compute-Ledger

v0.2.0

Manage compute account ledgers, frozen balances, charge events, and settlement records for A2A commerce flows. Use when implementing or operating compute bil...

0· 211·0 current·0 all-time
by@luoqianchenguni-max

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for luoqianchenguni-max/a2a-market-compute-ledger.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "a2a-Market-Compute-Ledger" (luoqianchenguni-max/a2a-market-compute-ledger) from ClawHub.
Skill page: https://clawhub.ai/luoqianchenguni-max/a2a-market-compute-ledger
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install a2a-market-compute-ledger

ClawHub CLI

Package manager switcher

npx clawhub@latest install a2a-market-compute-ledger
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description describe a ledger/billing component and the SKILL.md lists sensible domain APIs and guardrails for that purpose. However, the doc both suggests a Python project layout and also claims an existing JS runtime implementation (runtime/src/domain/compute-ledger.js), which is inconsistent with an instruction-only, scaffold-first skill that includes no code. That mismatch is unexplained.
Instruction Scope
SKILL.md stays within the stated domain (freeze/capture/release holds, append-only journal, event emission). It does not explicitly instruct the agent to read unrelated system files or exfiltrate secrets. But it references local runtime code paths and 'npm test' as validation, which could lead an agent to look for or execute local files/tools that are not provided; the doc is high-level and leaves much implementation choice to the operator.
Install Mechanism
No install spec is provided (instruction-only), so nothing is written to disk by an installer. That is the lowest-risk install footprint.
Credentials
The skill declares no required environment variables, credentials, or config paths. The listed functionality (emitting events, writing finance logs) would normally require integration credentials, but none are requested here — the absence is reasonable for a scaffold/instruction document but should be clarified before deployment.
Persistence & Privilege
always is false and the skill does not request persistent presence or modify other skills. There is no install-time behavior that would grant it elevated platform privileges.
Scan Findings in Context
[no_code_files] unexpected: The regex scanner found no code to analyze because this is instruction-only. This is somewhat unexpected because the SKILL.md references specific runtime source files and npm tests that are not included.
What to consider before installing
This skill looks like a design/spec for a compute-account ledger rather than a ready-to-run component. Before installing or enabling it: 1) Ask the author for the repository or runtime package they reference (the SKILL.md names runtime/src/domain/compute-ledger.js and npm tests) — those files are not present. 2) Clarify whether the intended implementation is Python or JavaScript (the doc suggests both). 3) Confirm what external systems (event bus, websocket, finance logs, DB) it will need and what credentials/config will be required; do not provide secrets until you verify the code and trust the source. 4) Request concrete tests and an install/run procedure if you expect the agent to execute 'npm test' or other commands. Given the inconsistencies, treat this skill as a specification scaffold rather than a deployable integration until those questions are answered.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f671t22t5ybgnhkgyk4dcr1836vbn
211downloads
0stars
2versions
Updated 3h ago
v0.2.0
MIT-0
@luoqianchenguni-max
latest
Download

a2a-Market Compute Ledger

Build and operate the compute ledger module for RealMarket A2A runtime.

Current status: scaffold-first skill for early registration. Keep APIs stable, add production logic incrementally.

Scope

  • Own ComputeAccount domain object, balance snapshots, and immutable transaction journal.
  • Support reserve/freeze before negotiation and final debit after order confirmation.
  • Emit billing events to event bus for reputation, websocket push, and finance logs.

Suggested Project Layout

  • app/domain/entities/compute_account.py
  • app/application/services/billing_service.py
  • app/infrastructure/db/ledger_repository.py
  • app/infrastructure/tasks/reconcile_ledger.py

Minimum Contracts (MVP P0)

  1. freeze(account_id, amount, reason) returns hold id and expiry.
  2. capture_hold(hold_id, order_id) converts hold to settled charge.
  3. release_hold(hold_id) unlocks unused balance.
  4. list_ledger_entries(account_id, from_ts, to_ts) returns ordered journal records.

Event Mapping

  • On hold created: emit INTENT_CREATED + billing extension payload.
  • On charge captured: emit ORDER_CREATED and settlement payload.
  • On charge finalized: emit PAYMENT_SUCCEEDED.

Guardrails

  • Use integer minor units for money; avoid float math.
  • Enforce idempotency key on every mutating operation.
  • Keep journal append-only; never rewrite posted entries.

Implementation Backlog

  • Add double-entry validation rules.
  • Add monthly statement export and audit tooling.

Runtime Implementation

  • Status: implemented in local runtime package.
  • Primary code paths:
  • runtime/src/domain/compute-ledger.js
  • Validation: covered by runtime/tests and npm test in runtime/.

Comments

Loading comments...