ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Chia SplitXCH

v1.0.0

Create SplitXCH royalty split addresses from plain language descriptions. Use when the user wants to split XCH payments, royalties, or revenue between multiple recipients. Triggers on "split royalties", "royalty split", "splitxch", "split XCH between", "revenue share", "payment split", "basis points split", or any request to divide Chia payments among wallets. Supports nested/cascading splits for complex hierarchies and 128+ recipients.

0· 845·0 current·0 all-time
by@koba42corp
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description, SKILL.md, API reference, and script all align: the skill parses user descriptions, computes basis points, and posts a JSON payload to an external SplitXCH API to obtain a computed XCH split address. However, the metadata claims no required binaries while the provided script depends on bash, curl, and jq — the omission is a minor inconsistency (not necessarily malicious) that may cause runtime failures.
Instruction Scope
The runtime instructions stay within the stated purpose: parse inputs, validate addresses/points, optionally perform a dry run, then call the third-party API to create splits. The SKILL.md does not instruct the agent to read unrelated files, environment variables, or system configuration. It does instruct sending recipient names and addresses to an external endpoint (splitxch.com), which is expected for this service but worth noting.
Install Mechanism
There is no install spec (instruction-only with a small helper script). No downloads or archive extraction occur. The bundle contains a small shell script and documentation, which is low-risk from an installation perspective.
Credentials
The skill requests no environment variables, credentials, or config paths, which is proportional for a client that posts payloads to an external web API. There are no unexplained secret requests.
Persistence & Privilege
The skill is not forced-always and does not request persistent system privileges or modify other skills. It uses the default autonomous-invocation setting (normal for skills).
Assessment
This skill appears coherent: it builds a JSON payload and posts it to https://splitxch.com to obtain a split address. Before installing, verify the reputation/trustworthiness of splitxch.com (the skill's source/homepage is missing). Ensure the runtime environment has bash, curl, and jq available (the metadata doesn't declare these). Understand that recipient names and XCH addresses will be sent to the external service — do not submit private data you don't want shared. If you prefer not to call the external API, use the skill's dry-run mode to compute basis points locally and only use the API after you trust the endpoint.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c24s6qt58fx979fv7r40qg580x47p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments