ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CrawlHub

v1.0.0

Sell CrawlHub API keys for Twitter/X crawling via ETH payment. Use when a user wants to buy, access, or get pricing for CrawlHub API access. Handles wallet s...

0· 38·0 current·0 all-time
by@wolflabs88

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for wolflabs88/crawlhub-reseller.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "CrawlHub" (wolflabs88/crawlhub-reseller) from ClawHub.
Skill page: https://clawhub.ai/wolflabs88/crawlhub-reseller
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install crawlhub-reseller

ClawHub CLI

Package manager switcher

npx clawhub@latest install crawlhub-reseller
Security Scan
Capability signals
CryptoRequires walletCan make purchasesRequires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to run a 'Reseller Agent' that issues CrawlHub API keys, verifies Ethereum payments via Etherscan, and runs a server (node dist/server.js). However the repository does not include any server code or a dist/server.js; only two small helper scripts and API documentation are present. There is also an inconsistent price (SKILL.md: 0.010 ETH, references/crawlhub-api.json: 0.015 ETH). The skill does not declare any credentials or configuration for CrawlHub backend access or for Etherscan API keys, yet claims to deliver API keys and perform on-chain verification. These gaps are not proportionate to the stated capability.
!
Instruction Scope
Runtime instructions tell operators/agents to start a Node server from /root/.openclaw/workspace/reseller-agent and to read/write files at /tmp/reseller-events.json and /root/.openclaw/workspace/reseller-agent/notifications.json. The scripts post JSON-RPC tasks to localhost:3000. The skill's SKILL.md also references on-chain verification (Etherscan) and A2A JSON-RPC interactions with other agents. Instructions reference system/workspace paths outside the skill bundle and give broad discretion to interact with other agents — this expands scope beyond the small included scripts and may cause unintended access to local agent workspace or other skills' files.
Install Mechanism
There is no install spec (instruction-only plus two client helper scripts), so nothing is automatically downloaded. That lowers install-time risk. However the instructions expect a prebuilt Node service at /root/.openclaw/workspace/reseller-agent/dist/server.js to be present and runnable; since that server code is not included, the skill as shipped cannot operate without fetching or placing additional code. Running arbitrary/unreviewed server code in the root workspace would be higher risk if the missing pieces are later sourced from an untrusted location.
!
Credentials
The skill declares no required environment variables or primary credentials, yet runtime behavior depends on external services: Etherscan for on-chain verification and a CrawlHub backend for API key issuance. No Etherscan API key or CrawlHub service credentials are declared or explained. The skill also hardcodes a payment address (0x19c4...) and asks users to send ETH there — that is a sensitive financial action but not tied to any verifiable operator identity in the package. The lack of declared credentials for service verification is disproportionate to the stated operations.
Persistence & Privilege
The skill is not always-enabled and does not request platform-level privileges, which is good. However it instructs reading/writing files in /root/.openclaw/workspace and /tmp and running a server from that workspace; that can modify agent workspace state and notifications for other local agents. While not automatically granted by the package, these instructions create the expectation of persistent local service and workspace writes if an operator follows them — this should be treated carefully.
What to consider before installing
Do not run or send funds based solely on this package. Before installing or running anything: (1) Request the missing server/source code (dist/server.js) and review it — do not run code you haven't inspected. (2) Resolve the pricing inconsistency (0.010 vs 0.015 ETH) and verify the operator identity for the hardcoded payment address. (3) Ask how Etherscan verification is performed and whether an ETHERSCAN_API_KEY or other credentials are required; ensure those secrets are declared and handled securely. (4) Confirm where CrawlHub API keys are generated/stored and obtain proof you will receive valid keys (or request an auditable key issuance mechanism). (5) If you must test, run the reseller service in an isolated sandbox/container with no access to your host /root workspace or other agent data, and do not transfer real ETH until you fully trust the operator. If the package owner cannot supply a complete server implementation and clear credential handling, treat the skill as incomplete and do not deploy it in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk975ehrth4dkhxp6djytng4k6x85jfkb
38downloads
0stars
1versions
Updated 2d ago
v1.0.0
MIT-0
@wolflabs88
latest
Download

CrawlHub Reseller Skill

Sell CrawlHub API keys for Twitter/X crawling — fully automated with ETH payment verification.

Overview

This skill wraps the CrawlHub Reseller Agent which:

  • Verifies wallet ownership via Ethereum signature
  • Verifies ETH payment on-chain via Etherscan
  • Delivers API key + full API documentation
  • Runs as standalone service on port 3000

How It Works

Customer Agent → Signature + TX Hash → Reseller Agent → API Key + Docs

Flow:

  1. Customer signs message with wallet (proves ownership)
  2. Customer sends TX hash (proves payment)
  3. Reseller verifies both on-chain
  4. If valid → API key delivered with CrawlHub API docs

Payment

  • Price: 0.010 ETH per 24 hours
  • Payment wallet: 0x19c4455Bf8C5D8662B434e1985cd31B8947A7C39
  • Verification: Etherscan API check

Customer Request Format

{
  "customerWallet": "0x742d35Cc6634C0532925a3b844Bc9e7595f5bA12",
  "signature": "0x1234abcd...",
  "message": "Request API Key for CrawlHub\nWallet: 0x742d35Cc6634C0532925a3b844Bc9e7595f5bA12\nNonce: abc12345",
  "txHash": "0xabc123def456..."
}

Reseller Agent API

Endpoints:

  • POST /json-rpc — A2A JSON-RPC endpoint (tasks/send, agentcard/get)
  • GET /agent-card — Agent capabilities and endpoints
  • GET /health — Health check

Start Reseller:

cd /root/.openclaw/workspace/reseller-agent
node dist/server.js

CrawlHub API Docs

Full API documentation in references/crawlhub-api.md.

Base URL: https://api.thecrawlhub.com/api/v1

Auth:

  • POST /auth/login → JWT token
  • Use Authorization: Bearer {token} + X-API-KEY: {key}

Endpoints:

  • GET /profile/user/by-screen-name?screen_name={username}
  • GET /profile/tweets/by-screen-name?screen_name={username}
  • GET /timeline/search?query={query}&mode=top
  • GET /tweet/by-id?tweet_id={id}

Verification Results

On successful sale, notify via:

  1. Update /tmp/reseller-events.json with event
  2. Check /root/.openclaw/workspace/reseller-agent/notifications.json

Error Codes

  • Signature verification failed — Wallet signature doesn't match
  • Insufficient payment — Less than 0.010 ETH sent
  • Payment sent to wrong address — TX wasn't to our wallet
  • No API keys available — Pool exhausted

Comments

Loading comments...