ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Antom Copilot

v2.0.6

Antom Intelligent Assistant - Central control for all Antom-related requirements, intelligently analyzes user intent and delegates to the Payment Success Rat...

18· 157·0 current·0 all-time
by@miscocox

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for miscocox/antom-copilot.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Antom Copilot" (miscocox/antom-copilot) from ClawHub.
Skill page: https://clawhub.ai/miscocox/antom-copilot
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install antom-copilot

ClawHub CLI

Package manager switcher

npx clawhub@latest install antom-copilot
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description and included scripts align with a Payment Success Rate reporting capability: query data, analyze/generate PDF, and email reports. That functionality reasonably requires a merchant credential and SMTP credentials. However there are inconsistencies across the package (different document endpoints mentioned in SKILL.md vs. the actual API endpoint in the query script), and the registry metadata does not declare the sensitive credentials the code actually needs (merchant_token and SMTP password).
Instruction Scope
Runtime instructions require a local config file (~/antom/conf.json or %USERPROFILE%\antom\conf.json) containing merchant_token and full email_conf (including SMTP password). The code reads this file and uses the merchant_token to POST to an external API and uses SMTP credentials to send mail — these actions are consistent with the stated purpose. Concerns: (1) the payment_expert SKILL.md lists an AlipayPlus/ibotservice endpoint but the query script posts to https://antomaplusai.antom.com/... — mismatched endpoints should be verified; (2) some scripts enforce different data-validity rules (one allows card OR apm, another requires both), indicating sloppy/contradictory logic; (3) SKILL.md references convenience scripts (./generate_today_report.sh) that are not included.
Install Mechanism
This is instruction-only / scripts-only with no install spec. Dependencies are listed in requirements.txt (requests, matplotlib, reportlab, numpy) which matches the code (HTTP calls, plotting, PDF generation). No downloads from unknown URLs and nothing is written to system-wide locations beyond the user's ~/antom folder. This is a lower install risk, but the package will write and read files under the user's home directory.
!
Credentials
The skill requires (via its instructions and code) sensitive secrets: a merchant_token and SMTP credentials (username and password/app-password) stored in a local conf.json. These secrets are necessary for the advertised functionality, so they are proportionate in purpose — but the skill's registry metadata does not declare these requirements (no required env vars, primary credential, or config-path declarations). The lack of declared credentials in metadata reduces transparency and is a security/operational concern. Also the code will cause those secrets to be used to contact external endpoints and to log into SMTP, so users should be aware.
Persistence & Privilege
The skill does not request 'always: true' and is user-invocable; it does not attempt to modify other skills or system-wide settings. Its persistence is limited to creating/reading files within ~/antom (or %USERPROFILE%\antom on Windows).
What to consider before installing
This skill appears to implement the advertised reporting pipeline, but several things don't add up and you should verify before installing or providing secrets: - Confirm the API endpoint(s): the payment_expert SKILL.md mentions an AlipayPlus endpoint, but the query script uses https://antomaplusai.antom.com/... — verify which domain is legitimate for your merchant account before giving a merchant_token. - The skill requires a conf.json with merchant_token and full SMTP credentials (including your email password or app-specific password). These are sensitive; only provide them if you trust the code and domain. Consider using an app-specific email password and a least-privilege mailbox. - Metadata omission: the registry lists no required credentials or config paths even though the scripts depend on conf.json. This reduces transparency — treat that as a red flag. - Inconsistencies in code: different scripts have different data-validation rules and the package references helper scripts (generate_today_report.sh) that are not present, which suggests sloppy packaging. Test in an isolated environment first (e.g., VM or container) and review the full source yourself. - Audit network behavior: run the query script in a controlled environment and inspect outbound requests to ensure data is sent only to the expected Antom domain. If possible, verify domain ownership (DNS, TLS certs) or ask the vendor for authoritative documentation. If you decide to use it: do so in an isolated/limited environment, back up critical data, limit SMTP credential scope, and verify endpoints and code integrity. If you cannot verify the domain or code author, treat providing credentials as high risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a8cmjjrj4v2wqw9rgbqxay184vswb
157downloads
18stars
4versions
Updated 1w ago
v2.0.6
MIT-0
@miscocox
latest
Download

Antom Copilot

Hello! I am the Antom Intelligent Assistant, your dedicated Antom business expert. I can help you handle all Antom-related queries and operations.

🔧 Initial Setup

Before using Antom Copilot, you need to configure your merchant information:

Configuration File Location

  • macOS/Linux: ~/antom/conf.json
  • Windows: %USERPROFILE%\\antom\\conf.json

Configuration Parameters

The configuration file needs to include the following parameters:

{
  "merchant_token": "Your Merchant Token",
  "email_conf": {
    "smtp_server": "smtp.gmail.com",
    "smtp_port": 587,
    "username": "your-email@gmail.com",
    "password": "your-app-password",
    "use_tls": true
  }
}

Configuration Parameter Description:

  • merchant_token: Merchant Token (required, for API authentication)
  • email_conf: Email configuration (required, for sending reports)

How to Obtain Configuration Information

You can visit the Antom Portal to get your merchant_token:

🔗 Antom Portal Address: https://dashboard.antom.com/

In the portal, you can:

  1. Log in to your merchant account
  2. Ask antom copilot for the merchant token, for example: "I need to get the merchant token for antom copilot skill"
  3. If you have questions, you can contact Antom technical support

💡 Tip: Keep your merchant_token secure and do not share it with others.

Sub-Expert Team

📊 Payment Success Rate Expert

Focused on payment success rate data processing and report generation:

  • Pull merchant payment success rate data (query_antom_psr_data.py)
  • Analyze data and generate PDF reports (analyse_and_gen_report.py)
  • Send payment success rate reports (send_psr_report.py)

Intent Recognition and Delegation Rules

When you ask questions, I will analyze your intent and automatically delegate to the Payment Success Rate Expert for:

  • Pull payment success rate data
  • Generate payment success rate reports
  • Send payment success rate reports

Current Status

The Payment Success Rate Expert is ready:

  • ✅ Payment Success Rate Expert: payment_success_rate_expert helloworld!

You can now ask any payment success rate related questions!

Comments

Loading comments...