ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

House Auction

v1.0.0

Scout, monitor, and bid on auctions on House (houseproto.fun) — a crypto auction platform on Base. Proactively watches for items the user cares about.

0· 909·1 current·1 all-time
by@im-still-thinking
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and install: the package implements MCP tools to search, list, create auctions and place bids against https://www.houseproto.fun. The single required env var (AUCTION_HOUSE_API_KEY) is exactly what the code uses for API authentication; no unrelated credentials or system paths are requested.
Instruction Scope
SKILL.md instructs the agent to proactively poll ('heartbeats'), remember user preferences, and execute auto-bid rules after confirmation. That matches the provided tools (search_auctions, place_bid, my_bids, wallet_info). Proactive monitoring and autonomous auto-bid behaviour are legitimate for this purpose but increase risk (automatic financial actions) — the user should be aware and confirm auto-bid rules explicitly.
Install Mechanism
Install is an npm package (auction-house-mcp). The repository includes all source and built files in the manifest; there are no opaque external downloads or shorteners. npm install/run is a moderate-risk, expected mechanism for this Node-based MCP server.
Credentials
Only AUCTION_HOUSE_API_KEY is required (with an optional AUCTION_HOUSE_URL override mentioned in README). This is proportionate: the API key is needed to authenticate bot actions (listing, bids, wallet info). No unrelated secrets (AWS, SSH, etc.) are requested.
Persistence & Privilege
The skill is not always-on and does not request system-wide privileges. It requests the agent remember user prefs/auto-bid rules (agent memory), which is consistent with its function. It does not modify other skills or system configs.
Assessment
This skill appears to be what it says: an MCP server that uses a House API key to monitor and place bids. Before installing: 1) Verify the npm package/author (search npmjs.org and review package ownership and recent versions). 2) Treat AUCTION_HOUSE_API_KEY as a powerful credential — it enables the skill to act on your behalf (place bids/create auctions). Limit funds in the bot wallet used by the key and fund only what you're willing to risk. 3) Be cautious with auto-bid rules: enable them only after testing with small amounts and explicitly confirm the first auto-run. 4) If you need extra assurance, review the included source files (client.js and index.js are present and readable) or run the MCP server in a restricted environment first. 5) Rotate or revoke the API key on houseproto.fun if you stop using the skill.

Like a lobster shell, security has layers — review code before you run it.

auctionsvk978jdfwa0qwfyj3e1k8jm38zx8116y2basevk978jdfwa0qwfyj3e1k8jm38zx8116y2cryptovk978jdfwa0qwfyj3e1k8jm38zx8116y2latestvk978jdfwa0qwfyj3e1k8jm38zx8116y2tradingvk978jdfwa0qwfyj3e1k8jm38zx8116y2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvAUCTION_HOUSE_API_KEY
Primary envAUCTION_HOUSE_API_KEY

Install

Nodenpm i -g auction-house-mcp

Comments