ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Arc Security - Agent Trust Protocol

v1.0.1

Manage skill trust by staking USDC bonds, paying micro-fees for verified skills, reporting malicious skills, and participating in decentralized governance vi...

2· 2.7k·0 current·0 all-time
byShaishav Pidadi@shaivpidadi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description and code align: the skill implements an on‑chain SkillSecurityRegistry client, CCTP transfers and an x402 paywall client to download skill packages. Requiring RPC URLs, CONTRACT_ADDRESS and a signing key (PRIVATE_KEY) is consistent with on‑chain write operations. However, skill.json's config omits PRIVATE_KEY even though SKILL.md and the code require it — this manifest mismatch is a red flag that the metadata and runtime requirements are not fully synchronized.
!
Instruction Scope
Runtime instructions and code perform sensitive actions outside simple queries: the CLI will sign and send on‑chain transactions using PRIVATE_KEY, and the x402 client downloads arbitrary ZIP packages from the configured x402 server and extracts them into the current working directory. Automatically extracting remote archives without validation (and installing other skills) increases risk because a malicious x402 server can deliver arbitrary code. SKILL.md requires PRIVATE_KEY and contract config which the code uses; the instruction scope matches the purpose but includes high‑impact operations (key usage + arbitrary code installation).
Install Mechanism
No install spec (instruction+code only), dependencies are standard (web3, requests, python-dotenv). The highest installation risk comes from runtime behavior: request_skill downloads a zip and extracts it locally (extract all). The code does not validate or sandbox downloaded packages. The package itself was delivered with source files included (no external archive downloads during install).
!
Credentials
The skill legitimately needs RPC endpoints and a private key for signing transactions and cross‑chain transfers. That said, PRIVATE_KEY is highly sensitive and the manifest (skill.json) fails to declare it as a required config item, while SKILL.md and the code require it — an inconsistency. Also the skill will use that key to sign arbitrary transactions (bond, vote, authorize usage), so you must only use a key you control and limit funds on it. The default x402 server URL is a placeholder (skills.example.com) — using an untrusted x402 server would allow it to control what gets downloaded.
Persistence & Privilege
The skill is not marked always:true and does not request platform‑wide persistence. It will, however, write downloaded skill packages to disk and extract them (installing other skills), which is expected for a skill installer but increases attack surface. It does not modify other skills' configurations directly in the code shown, but installing arbitrary packages can effectively modify agent behavior.
Scan Findings in Context
[base64-block] unexpected: The pre-scan flagged a base64-block pattern in SKILL.md. I did not observe an obvious embedded base64 payload in the provided SKILL.md excerpt, but the scanner detection could indicate an encoded block intended to influence prompts or embed payloads. Regardless, the presence of prompt-injection signals should be treated as suspicious and warrants manual review of the full SKILL.md and any hidden content.
What to consider before installing
What to consider before installing: - This skill needs a wallet private key (PRIVATE_KEY) and will sign/send transactions (bonding, voting, claiming, authorizing usage). Only use a key with minimal funds and no long‑term access to critical assets (prefer a throwaway/test wallet or hardware wallet where possible). - The x402 server you configure will be able to serve ZIP packages that this skill will download and extract locally. Only point X402_SERVER_URL at servers you trust; inspect downloaded ZIPs before executing any installed code. - The package metadata is inconsistent: skill.json does not list PRIVATE_KEY as a required config even though SKILL.md and the code expect it. That mismatch suggests the metadata or packaging may be incomplete — proceed cautiously and review the code yourself. - The CCTP attestation flow in the client contains placeholders (simulated attestation) and many testnet zero-addresses; the implementation may be incomplete or non-production. Do not rely on it for real mainnet funds without auditing. - If you decide to test: use testnet or a disposable environment, verify CONTRACT_ADDRESS and RPC endpoints, and monitor outbound network calls. Prefer to review / vet the x402 server and SkillSecurityRegistry contract code before trusting bond/vote flows. If you want, I can extract and highlight the exact lines that (a) read PRIVATE_KEY and sign transactions, and (b) download+extract ZIPs so you can quickly audit the dangerous spots.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ds519r34j9qf8thnct56ann80hrdx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments