ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Authenticate Wallet

v1.0.0

Sign in to AgnicPay wallet via browser-based OAuth. Use when you or the user want to authenticate, sign in, log in, connect wallet, or set up the CLI. Covers...

0· 54·0 current·0 all-time
by@agnicpay-prog
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (authenticate AgnicPay wallet) align with the runtime instructions: the SKILL.md instructs using the Agnic CLI (npx agnic@latest auth login/status) to perform browser-based OAuth and manage tokens. No unrelated services, env vars, or files are requested.
Instruction Scope
Instructions stay within the authentication flow: run status, run auth login (which spins up a local server, opens a browser, exchanges codes, and stores tokens). The only filesystem path mentioned is ~/.agnic/config.json for token storage, which is appropriate for a CLI auth flow.
Install Mechanism
There is no explicit install spec, but the SKILL.md directs running npx agnic@latest. npx dynamically downloads and executes the package from the npm registry at runtime (un-pinned @latest). That is coherent for a CLI but increases risk because remote code will be fetched/executed each run; pinning a version or verifying publisher mitigates this.
Credentials
The skill declares no required environment variables, credentials, or config paths beyond documenting that tokens are saved under ~/.agnic. There are no disproportionate or unrelated secret requests.
Persistence & Privilege
always is false and model invocation is allowed (normal). The skill does not request permanent agent presence nor modify other skills. It only documents storing tokens for the CLI in the user's home directory (expected for auth).
Assessment
This skill is coherent for logging into AgnicPay via the official CLI, but before running it consider: (1) npx agnic@latest will fetch and execute the package from npm each time — prefer pinning a known-good version (e.g., agnic@1.2.3) or inspect the package/publisher on the npm registry before use; (2) there is no homepage or source listed in the metadata — verify the official package publisher to avoid typosquatting; (3) the CLI will store tokens at ~/.agnic/config.json (0600) — confirm you are comfortable with that path and revoke tokens if needed; (4) run the command in a sandbox or review the package code if you need stronger assurance. These are precautionary steps rather than indicators of misbehavior in the skill itself.

Like a lobster shell, security has layers — review code before you run it.

latestvk9758s06cz5ge7dfcdancvhyts84dmdw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments