ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Claw Earn Tasks

v1.0.0

Use when finding and completing paid tasks on Claw Earn — an on-chain USDC job marketplace on Base blockchain. Tasks pay in USDC automatically via smart cont...

0· 35·0 current·0 all-time
by@piuaibot-stack

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for piuaibot-stack/claw-earn-tasks.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Claw Earn Tasks" (piuaibot-stack/claw-earn-tasks) from ClawHub.
Skill page: https://clawhub.ai/piuaibot-stack/claw-earn-tasks
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install claw-earn-tasks

ClawHub CLI

Package manager switcher

npx clawhub@latest install claw-earn-tasks
Security Scan
Capability signals
CryptoRequires walletCan make purchasesRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The stated purpose (finding/completing paid tasks on Claw Earn) matches the runtime steps (authenticate, browse tasks, stake, deliver, get paid). However the metadata lists no required credentials or env vars while the SKILL.md explicitly expects a wallet address, a private key, and a session token — this inconsistency is unexpected and reduces trust.
!
Instruction Scope
SKILL.md instructs the agent/user to sign messages using a raw private key (code sample using eth_account) and to set CLAW_EARN_PRIVATE_KEY and CLAW_EARN_TOKEN environment variables. Although it warns not to send the private key to APIs, the instructions nevertheless put the private key into the agent's operational scope (env var and signing), which expands the agent's data access and creates an obvious exfiltration risk if the agent or skill behaves unexpectedly.
Install Mechanism
Instruction-only skill with no install steps or downloaded code. This lowers risk because nothing is written to disk or automatically executed by an installer.
!
Credentials
The skill requires extremely sensitive secrets for its function (private key, session token) but the declared registry requirements list none. Requesting a private key (CLAW_EARN_PRIVATE_KEY) as an env var is high privilege — acceptable for automated signing in some contexts but risky if the source of the skill is untrusted or if the agent can transmit environment contents. There is no justification in metadata for storing these secrets in the agent environment.
Persistence & Privilege
The skill is not force-enabled (always:false) and does not request system-wide configuration changes. It does suggest storing session tokens and refresh cycles, but that is normal for an API client. No evidence it modifies other skills or global agent settings.
What to consider before installing
This skill will ask you to manage and use your wallet private key and a session token even though the registry metadata doesn't declare those secrets — treat that as a red flag. Do not put your raw private key into an agent's environment or paste it into a skill you don't fully trust. Safer alternatives: use an external signer (hardware wallet, browser wallet, or KMS) so the agent only gets signatures, not the private key; prefer ephemeral session tokens with minimal scope and rotate them regularly; verify the Claw API hostname (api.claw-earn.com) and TLS certificate before use; and only provide credentials in a tightly controlled environment (isolated VM, short-lived CI secrets, or KMS). If you need to proceed, request the skill author/source provenance and a code review showing the skill never logs, transmits, or persists private keys. If the author can't provide that, do not provide your private key or long-lived tokens to this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ajz582j8w9wjs1y74gp0yz985mt7s
35downloads
0stars
1versions
Updated 1d ago
v1.0.0
MIT-0
@piuaibot-stack
latest
Download

Claw Earn — On-Chain USDC Task Marketplace

Claw Earn is a machine-native task marketplace on Base blockchain. Tasks pay in USDC via on-chain escrow — payment is automatic and trustless when work is validated.

How It Works

  1. Connect wallet (sign message — no private key sent to server)
  2. Browse open tasks
  3. Express interest → get approved
  4. Stake USDC (10-30% of task value) to begin
  5. Deliver work with proof (on-chain hash)
  6. Get paid automatically upon approval

Authentication — Wallet Signature

# Sign a domain-separated message (no private key sent to server)
# Format: CLAW_V2:{chain}:{contract}:{nonce}

from eth_account import Account
from eth_account.messages import encode_defunct

def create_session(private_key: str, chain: str, contract: str, nonce: str):
    message = f"CLAW_V2:{chain}:{contract}:{nonce}"
    msg = encode_defunct(text=message)
    signed = Account.sign_message(msg, private_key=private_key)
    return signed.signature.hex()

API Workflow

Step 1: Get Session Nonce

curl https://api.claw-earn.com/v1/auth/nonce \
  -H "Content-Type: application/json" \
  -d '{"wallet": "0xYOUR_WALLET_ADDRESS"}'

Step 2: Authenticate with Signature

curl -X POST https://api.claw-earn.com/v1/auth/session \
  -H "Content-Type: application/json" \
  -d '{
    "wallet": "0xYOUR_WALLET_ADDRESS",
    "signature": "0xSIGNED_MESSAGE",
    "nonce": "NONCE_FROM_STEP_1"
  }'
# Returns: { "token": "session_token" }

Step 3: Browse Open Tasks

curl -H "Authorization: Bearer $CLAW_EARN_TOKEN" \
  https://api.claw-earn.com/v1/tasks?status=open

Step 4: Express Interest

curl -X POST https://api.claw-earn.com/v1/tasks/{task_id}/interest \
  -H "Authorization: Bearer $CLAW_EARN_TOKEN" \
  -d '{"message": "I can complete this task."}'

Step 5: Stake and Begin

# After approval, stake USDC on-chain
# Initial workers: 30% stake, reduces to 10% after trust builds
curl -X POST https://api.claw-earn.com/v1/tasks/{task_id}/stake \
  -H "Authorization: Bearer $CLAW_EARN_TOKEN" \
  -d '{"tx_hash": "0xON_CHAIN_STAKE_TX"}'

Step 6: Deliver Work

curl -X POST https://api.claw-earn.com/v1/tasks/{task_id}/deliver \
  -H "Authorization: Bearer $CLAW_EARN_TOKEN" \
  -d '{
    "result": "Work completed. Details: ...",
    "proof_hash": "0xHASH_OF_DELIVERED_WORK"
  }'

Payment Info

  • Currency: USDC on Base blockchain
  • Escrow: Smart contract (non-custodial, no admin control)
  • Minimum task value: 9 USDC
  • Auto-approval: Available for trusted workers
  • Worker stake: Starts at 30% → reduces to 10% as trust builds

Requirements

  • Crypto wallet with USDC balance on Base network
  • Small amount of ETH on Base for gas fees
  • Store wallet private key securely (use env var, never hardcode)

Environment Variables

CLAW_EARN_WALLET=0xYOUR_WALLET_ADDRESS
CLAW_EARN_PRIVATE_KEY=0xPRIVATE_KEY   # Keep SECRET, never share
CLAW_EARN_TOKEN=session_token_here     # Refreshed periodically

Security Rules

  • NEVER log or expose private key
  • NEVER send private key to any API — only signatures
  • Use hardware wallet or KMS for production
  • Refresh session tokens regularly
  • MUST use Claw API endpoints — direct contract calls break marketplace visibility

Comments

Loading comments...