ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

cpbox-suggest

v1.0.0

USE FOR query autocomplete/suggestions. Fast (<100ms). Returns suggested queries as user types. Supports rich suggestions with entity info. Typo-resilient.

0· 105·0 current·0 all-time
byspringmint@sprintmint
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, endpoints, parameters, and response fields all align with a query-autocomplete/suggest service. No unrelated environment variables, binaries, or config paths are declared.
Instruction Scope
Most instructions stay within the suggest/HTTP API scope (GET to https://www.cpbox.io/api/x402/suggest). However the doc recommends using third‑party SDKs (e.g., npx @springmint/x402-payment or x402-sdk-go) to perform payment signing — this instructs the operator/agent to execute code fetched from npm or other tooling and to perform cryptographic signing steps, which widens scope beyond simple HTTP queries.
Install Mechanism
There is no formal install spec (instruction-only), which is low risk. But the Quick Start suggests using npx to run @springmint/x402-payment; npx dynamically downloads and executes code from the npm registry at runtime, which can be a vector for executing remote code if followed. The skill itself does not ship code, but its recommended workflow depends on remote packages.
Credentials
The skill declares no required env vars or credentials, which matches a public suggest API. However the x402 payment flow implies use of a local wallet/key to sign requests; those keys are not declared or explained by the skill. The SKILL.md states 'wallet/keys stay on your machine', but does not describe how signing is performed or what local access is needed, so users must ensure signing is done safely (e.g., with a dedicated wallet) and not exfiltrated.
Persistence & Privilege
No always:true, no requested persistent system presence, and no instructions to modify other skills or system-wide settings. The skill is user-invocable and does not ask to enable itself permanently.
What to consider before installing
This skill is functionally coherent for autocomplete/suggestions and doesn't request credentials, but it directs you to an external payment flow that uses third‑party SDKs (the npx command) and an external facilitator domain. Before installing or running it: 1) verify the reputations of https://www.cpbox.io and https://www.cppay.finance and the @springmint package on npm; 2) do not run npx commands unless you trust and have reviewed the package (npx downloads and executes remote code); 3) keep any signing keys in a secure, isolated wallet and consider using a dedicated low-value key for testing; 4) if you want stronger assurance, ask the publisher for a reproducible install (pinned package version or vendor-provided binary) and audit the x402 SDK source code before using the automatic payment flow. If you cannot confirm the SDK/package origins, prefer manual payment signing outside of automated agent execution.

Like a lobster shell, security has layers — review code before you run it.

latestvk974s811bsv3g6wvj9hg7z23md83859k
105downloads
0stars
1versions
Updated 2h ago
v1.0.0
MIT-0
springmint@sprintmint
latest
Download

Suggest / Autocomplete

Paid Suggest proxy via x402 pay-per-use (HTTP 402).

Prerequisites: This skill requires x402-payment. Complete the setup steps before first use.

Security: Documentation only — no executable code or credentials. Wallet/keys stay on your machine; never stored here.

Service URLs

RoleDomain
API Providerhttps://www.cpbox.io
Facilitatorhttps://www.cppay.finance

Endpoint (Agent Interface)

GET /api/x402/suggest

Payment Flow (x402 Protocol)

  1. First request -> 402 Payment Required with requirements JSON
  2. Sign & retry with PAYMENT-SIGNATURE -> result JSON

With @springmint/x402-payment or x402-sdk-go, payment is automatic.

Quick Start (cURL)

Basic Suggestions

curl -s "https://www.cpbox.io/api/x402/suggest?q=how+to+" \
  -H "Accept: application/json"

With All Parameters

curl -s "https://www.cpbox.io/api/x402/suggest" \
  -H "Accept: application/json" \
  -G \
  --data-urlencode "q=albert" \
  --data-urlencode "country=US" \
  --data-urlencode "lang=en" \
  --data-urlencode "count=10" \
  --data-urlencode "rich=true"

Using with x402-payment

npx @springmint/x402-payment \
  --url "https://www.cpbox.io/api/x402/suggest?q=albert&rich=true&count=10" \
  --method GET

Optional Headers:

  • Accept-Encoding: gzip — Enable response compression

Parameters

ParameterTypeRequiredDefaultDescription
qstringYesSuggest search query (1-400 chars, max 50 words)
langstringNoenLanguage preference (2+ char language code, e.g. fr, de, zh-hans)
countrystringNoUSSearch country (2-letter country code or ALL)
countintNo5Number of suggestions (1-20). Actual results may be fewer
richboolNofalseEnhance with entity info (title, description, image). Paid Search plan required

Response Fields

FieldTypeDescription
typestringAlways "suggest"
query.originalstringThe original suggest search query
resultsarrayList of suggestions (may be empty)
results[].querystringSuggested query completion
results[].is_entitybool?Whether the suggested enriched query is an entity (rich only)
results[].titlestring?The suggested query enriched title (rich only)
results[].descriptionstring?The suggested query enriched description (rich only)
results[].imgstring?The suggested query enriched image URL (rich only)

Fields with null values are excluded from the response. Non-rich results contain only the query field.

Rich Response Example (rich=true)

{
  "type": "suggest",
  "query": { "original": "albert" },
  "results": [
    {
      "query": "albert einstein",
      "is_entity": true,
      "title": "Albert Einstein",
      "description": "German-born theoretical physicist",
      "img": "https://imgs.search.provider/..."
    },
    { "query": "albert einstein quotes", "is_entity": false }
  ]
}

Use Cases

  • Search-as-you-type UI: Real-time autocomplete dropdown. Debounce 150-300ms.
  • Query refinement for RAG: Expand partial/ambiguous queries before calling web-search or llm-context.
  • Entity detection: Use rich=true to detect entities with title, description, and image for preview cards.
  • Typo-tolerant input: Get clean suggestions from misspelled input without separate spellcheck.

Notes

  • Latency: Designed for <100ms response times
  • Country/lang: Hints for suggestion relevance, not strict filters
  • Typo handling: Suggestions handle common typos without separate spellcheck

Comments

Loading comments...