Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AIKEK API
v1.3.1Access AIKEK APIs for crypto/DeFi research and image generation. Authenticate with a Solana wallet, query the knowledge engine for real-time market data and...
⭐ 0· 1.6k·0 current·0 all-time
byVladimir Sotnikov@vvsotnikov
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (crypto/DeFi research + image generation) legitimately requires an API token and a signing key for wallet-based auth; however the registry metadata lists no required environment variables or binaries while the SKILL.md explicitly requires AIKEK_PRIVATE_KEY, AIKEK_API_TOKEN and Python packages (solders, requests). That metadata mismatch is incoherent and should be resolved before trusting the skill.
Instruction Scope
Runtime instructions tell the user/agent to generate a Solana keypair, write the private key and API token into ~/.config/aikek/credentials (plaintext fallback), and to source/read that file. These steps are within the functional scope of a wallet-authenticated API, but they involve creating and storing highly sensitive secrets in a local file and instruct the agent to reuse a non-expiring token — increasing risk if the token or file are exposed.
Install Mechanism
This is an instruction-only skill (no install spec / no code files). The SKILL.md mentions Python 3.10+ and the solders and requests packages but provides no automated install steps; absence of an install spec is lower risk but the documentation/metadata should declare required runtime packages so users can vet them.
Credentials
The instructions require two sensitive values (AIKEK_PRIVATE_KEY and AIKEK_API_TOKEN). Those variables are proportionate to a wallet-based authentication flow, but the registry omitted them — and the token is described as non-expiring, which is disproportionate from a security standpoint (long-lived secrets increase blast radius). The skill also suggests storing secrets in plaintext as a fallback; that's insecure.
Persistence & Privilege
The skill does not request always:true or elevated platform privileges and does not modify other skills. However, it recommends persisting a long-lived API token and a private key on disk; that persistent credential storage effectively increases the skill's potential long-term access if the token or file are later read by other processes or compromised.
What to consider before installing
This skill's instructions require you to generate and store two sensitive secrets (a Solana private key and a non-expiring API token) but the registry metadata does not list those requirements — treat that as a red flag. Before installing or using: 1) Verify the skill's origin and the api.alphakek.ai domain and documentation independently. 2) Prefer using a secure secrets manager or encrypted keystore rather than writing keys/tokens to ~/.config/aikek/credentials in plaintext. 3) If you must store a token locally, request short-lived tokens or revokeable credentials; avoid non-expiring tokens. 4) Confirm the solders/requests Python package requirements and install them in a controlled virtualenv. 5) If you proceed, limit the file permissions (chmod 600) and consider creating the wallet in an isolated environment; revoke the token if you later suspect compromise. Finally, ask the publisher to update the registry metadata to declare required env vars and runtime dependencies — the current mismatch should be fixed before trusting automation.Like a lobster shell, security has layers — review code before you run it.
latestvk97fazbqc674t6x2499531amf981gjge
License
MIT-0
Free to use, modify, and redistribute. No attribution required.