Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
EchoSync
v1.0.0echosync.io — OAuth, Hyperliquid copy-trade, market info, and trading.
⭐ 0· 73·0 current·0 all-time
by@ly95
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (OAuth, Hyperliquid copy-trade, market info, trading) align with the included auth.mjs and static assets. Only the node binary is required and the script talks to echosync/hyperliquid endpoints, which is expected for these features.
Instruction Scope
SKILL.md strictly instructs the agent to invoke the provided auth.mjs with specific subcommands and not to improvise alternate flows. The script's operations (start local server for OAuth, save creds, call hygo APIs, print token for scripting) match the documented commands. The skill does not instruct reading unrelated host files or broad system data.
Install Mechanism
No install/download steps are present; this is an instruction-only skill with an included Node script. No remote code is fetched or executed during install.
Credentials
The skill declares no required environment variables; auth.mjs optionally reads a local .env and recognizes ECHOSYNC_* overrides — reasonable as optional configuration. It stores credentials in ~/.echosync/credentials.json and can print raw access tokens to stdout (intended for scripting). Users should be aware that printing tokens or displaying command output in chat can leak secrets if mishandled.
Persistence & Privilege
The script writes files under the user's home (~/.echosync), creates ephemeral lock/port files, and spawns a detached background process for OAuth callback listening on localhost — all consistent with an OAuth helper. It does not request always:true or system-wide configuration changes, but it does persist credentials locally.
Assessment
This skill appears to do what it says: run the included Node helper to perform OAuth and interact with Hyperliquid. Before installing, consider: (1) the helper will save an access token to ~/.echosync/credentials.json — ensure you trust echosync and the environment where the agent runs; (2) the skill starts a background localhost server during login (listening only on 127.0.0.1) — avoid running login on untrusted networks or shared machines; (3) the 'token' subcommand prints raw tokens to stdout for scripting — do not ask the agent to paste tokens into chat or public logs (the SKILL.md also warns about this); (4) review the included auth.mjs if you want to confirm there are no extra network endpoints or unexpected file reads on your host. If you are uncomfortable with local credential persistence or automatic background processes, do not install or remove the ~/.echosync directory and credentials after use.auth.mjs:331
Shell command execution detected (child_process).
auth.mjs:54
Environment variable access combined with network send.
auth.mjs:15
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk975yrqy1dey0acx1rk7r8e98h83g6rd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⚡ Clawdis
OSmacOS · Linux · Windows
Binsnode