ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Crawdaddy

v1.0.0

Autonomous scanner detecting quantum-unsafe ECDSA, smart contract risks, and agent credential exposures with compliance-ready post-quantum security reports.

0· 187·0 current·0 all-time
byMichael Bennett@mbennett-labs

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for mbennett-labs/crawdaddy.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Crawdaddy" (mbennett-labs/crawdaddy) from ClawHub.
Skill page: https://clawhub.ai/mbennett-labs/crawdaddy
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install crawdaddy

ClawHub CLI

Package manager switcher

npx clawhub@latest install crawdaddy
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
SKILL.md and README describe an autonomous scanner that integrates with GitHub/GitLab, blockchain RPCs, and agent platforms and produces JSON/PDF/HTML reports. However, the bundle contains no code, no install, and declares no required credentials or endpoints. A legitimate autonomous scanner would normally include scanning code or call an external service endpoint and would typically require API tokens (or at least document how to access public/private repos and RPC nodes). The stated pricing and proprietary reporting model further imply an external service, but the skill provides no runtime instructions tying into that service.
!
Instruction Scope
The SKILL.md is high-level and does not include concrete runtime commands or safe-scoped instructions. It instructs users to 'submit repository URL or smart contract address' and promises scanning agent credentials and MCP packages for unencrypted keys — but it does not specify how the agent should obtain code, whether it should read local files, or which endpoints to call. This vagueness grants broad discretion and could lead to an agent reading local skill packages or environment data without clear boundaries.
Install Mechanism
There is no install spec and no code files beyond documentation (SKILL.md, README, package.json). That lowers the immediate file-system and supply-chain risk because nothing will be downloaded or executed by default from this bundle. However, it also means the skill's claimed functionality is unimplemented or intended to rely on external services not described here.
!
Credentials
The skill claims to scan private repos, blockchain nodes, and agent credentials, which would normally require access to GitHub/GitLab tokens, blockchain RPC endpoints (or provider API keys), and possibly privileged access to agent storage. Yet requires.env and primary credential fields are empty. The absence of declared credentials is disproportionate to the described capabilities and leaves unclear how the scanner is supposed to operate (local code analysis vs. remote service).
Persistence & Privilege
Flags show always:false and default autonomous invocation allowed. The skill does not request persistent presence or system-wide configuration changes, and there is no install step that writes to disk. From a privilege/persistence perspective the bundle is low-impact as provided.
What to consider before installing
This package is suspicious because it promises a capable autonomous scanner but contains only documentation and no implementation or credential requirements. Before installing or enabling it: 1) Ask the publisher for the actual scanner code or a concrete runtime endpoint and an explanation of where scanning work runs (local vs. remote). 2) Verify how private repos or RPC nodes are accessed — do not provide GitHub tokens, RPC keys, or agent credentials unless you trust and have reviewed the service code. 3) Request a sample report produced from a known public repo and the exact commands/tools used (solidity analyzers, linters, PQC checks). 4) Validate the vendor identity (domain, email, GitHub repo) independently and check for an open-source scanner you can audit. 5) If you must test, do so in an isolated environment and avoid granting access to production secrets or private repos. If the publisher intends this skill to call an external paid service, that behavior should be explicit in SKILL.md and the skill should require only the minimal credentials needed for that service.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fkx1kf2rj8ee8trkqe9pb4s836s4m
187downloads
0stars
1versions
Updated 22h ago
v1.0.0
MIT-0
Michael Bennett@mbennett-labs
latest
Download

CrawDaddy - Post-Quantum Security Scanner

Autonomous security scanner for post-quantum cryptography readiness, smart contracts, and agent credential exposure.

Overview

CrawDaddy scans code repositories, blockchain contracts, and agent skill packages for quantum-unsafe ECDSA usage and emerging infrastructure vulnerabilities. Built by Quantum Shield Labs.

Target Audience

  • Healthcare CISOs protecting patient data (50+ year sensitivity)
  • Blockchain developers securing smart contracts on Ethereum/Base
  • Agent builders securing MCP skills and autonomous agent infrastructure
  • Compliance officers implementing post-quantum readiness programs

Features

1. Smart Contract Auditing

Scan Ethereum and Base L2 smart contracts for quantum-vulnerable cryptographic primitives:

  • ECDSA signature vulnerabilities (Shor's algorithm breakage)
  • Known expiration dates on cryptographic keys
  • Risk assessment for long-lived contracts
  • Compatibility analysis for post-quantum alternatives

2. Cryptographic Repository Scanning

Analyze code repositories for:

  • Quantum-unsafe cryptographic dependencies (ECDSA, RSA)
  • Crypto usage patterns vulnerable to "harvest now, decrypt later" attacks
  • Migration paths to post-quantum algorithms (NIST FIPS 203/204/205)
  • Data sensitivity mapping (50+ year lifetime assets)

3. Agent Credential Exposure Detection

Scan AI agent skills and MCP packages for:

  • Unencrypted API keys and signing credentials
  • Long-lived tokens vulnerable to retroactive decryption
  • Credential injection attack vectors
  • Authentication protocol weaknesses

4. Audit Trail & Compliance Reports

Generate auditable, timestamped reports including:

  • Detailed vulnerability inventory
  • Risk scoring and remediation paths
  • NIST post-quantum readiness checklist
  • Healthcare/HIPAA compliance mapping

Pricing

Variable pricing based on scan complexity:

  • $0.50 - Small projects (<10K LOC)
  • $1.50 - Medium projects (10K-100K LOC)
  • $3.00 - Large projects (100K-1M LOC)
  • $5.00 - Enterprise assessments + compliance reporting

Contact & Support

How It Works

  1. Submit code repository URL or smart contract address
  2. CrawDaddy scans for quantum vulnerabilities and crypto threats
  3. Report generated with risk assessment and remediation steps
  4. Ongoing monitoring available for critical infrastructure

Example Use Cases

Healthcare Data Protection

Healthcare organizations storing patient genetic data (50+ year retention):

Patient data with 50-year sensitivity
→ CrawDaddy identifies ECDSA encryption
→ Recommends post-quantum upgrade path
→ Generates HIPAA-compliant audit trail

Smart Contract Auditing

DeFi protocols deploying long-lived contracts:

Ethereum contract with ECDSA wallet signatures
→ Scan identifies quantum expiration date
→ Report shows Shor's algorithm impact
→ Recommends multi-sig + migration timeline

Agent Security

AI agent platforms using MCP skills:

Agent credentials stored in Redis
→ Scan detects unencrypted API keys
→ Analysis of key rotation policies
→ Recommendations for ephemeral credentials

Technical Details

  • Scanning Engine: Static analysis + LLM-assisted semantic review
  • Coverage: Python, JavaScript/TypeScript, Solidity, Java, Go, Rust, C/C++
  • Output Formats: JSON, PDF, HTML reports
  • Integration: GitHub, GitLab, Blockchain RPC endpoints, AI agent platforms
  • Compliance: SOC 2, GDPR, HIPAA-ready reporting

Tags

security scanning, post-quantum cryptography, smart contracts, agent security, compliance, NIST PQC, ECDSA, healthcare, blockchain

License

CrawDaddy services are provided under the terms of service at quantumshieldlabs.dev. Reports are proprietary to the customer.

Comments

Loading comments...