ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Family Crypto Explainer

v1.0.0

A plain-language explanation helper for talking to family members about crypto involvement. Use when discussing crypto with non-crypto people. Prompt-only.

0· 66·0 current·0 all-time
byhaidong@harrylabsj

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for harrylabsj/family-crypto-explainer.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Family Crypto Explainer" (harrylabsj/family-crypto-explainer) from ClawHub.
Skill page: https://clawhub.ai/harrylabsj/family-crypto-explainer
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install family-crypto-explainer

ClawHub CLI

Package manager switcher

npx clawhub@latest install family-crypto-explainer
Security Scan
Capability signals
CryptoRequires walletRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill description and SKILL.md describe a prompt-only explanation helper that needs no files or credentials. However, handler.py contains _load_skill_meta which opens a hard-coded path (/Users/jianghaidong/.openclaw/skills/{skill_name}) and reads SKILL.md from the local filesystem. A prompt-only explainershould not need to access a specific user's home directory; this is disproportionate and unexplained (likely a leftover dev path or a covert local-read).
Instruction Scope
The SKILL.md instructions are scoped to the stated purpose: ask about the family member, identify concerns, translate concepts, and produce a concise output format. The markdown itself does not instruct the agent to read files, call external endpoints, or access environment variables.
Install Mechanism
There is no install spec (instruction-only), which is low risk. However, the package includes code files (handler.py). Although no installer downloads remote artifacts, the presence of handler.py means code will run when the skill is invoked and can perform local I/O — this increases the attack surface compared with a pure prompt-only skill.
!
Credentials
The registry declares no required environment variables or credentials, which matches the described purpose. Nonetheless, handler.py accesses a local path that could expose other skill files or sensitive local data. The file access is not declared or justified by the skill's purpose and is therefore disproportionate.
Persistence & Privilege
The skill does not request always:true and is user-invocable only (normal). There is no evidence it modifies other skills or system settings. The remaining concern is local-file reading by the handler when invoked, which increases potential data exposure but is not a persistence/privilege escalation flag by itself.
What to consider before installing
The SKILL.md is benign and self-contained, but handler.py reads a hard-coded user path (/Users/jianghaidong/.openclaw/skills/{skill_name}) — unexpected for a prompt-only helper. This could expose local files or other skills. Before installing or enabling: 1) ask the publisher why the handler reads a hard-coded home path and request its removal or change to a safe pattern; 2) inspect or remove handler.py (if you only need the prompt) or run the code in a sandboxed environment; 3) if you keep the code, change the path to a safe, configurable location or ensure it only reads files explicitly provided by the platform API; 4) avoid installing if you cannot verify the author's identity or the reason for local file access. If you want, I can suggest an edited handler.py that removes the hard-coded path and only uses passed-in inputs.

Like a lobster shell, security has layers — review code before you run it.

latestvk978af73gs0f1er0em5s2f7aps84z2fc
66downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
haidong@harrylabsj
latest
Download

family-crypto-explainer

A plain-language explanation helper for talking to family members about crypto involvement.

Workflow

  1. Ask who the family member is, their age, financial background, and what prompted the conversation.
  2. Identify the core concern: safety, legitimacy, environmental impact, financial risk, or something else.
  3. Translate the crypto concept into a frame the family member already understands.
  4. Address the specific concern directly, honestly, and without hype.
  5. Give a recommendation on how to continue the conversation.

Output Format

  • Key concern identified
  • Translation in their language
  • Honest assessment of the concern
  • What you would tell them about your own position
  • Suggested closing line for the conversation

Quality Bar

  • Respects the family member's skepticism as valid.
  • Does not oversell or defend crypto aggressively.
  • Honest about risks and uncertainties.

Edge Cases

  • If the family member is elderly or has no financial buffer, lean toward conservative framing.
  • If the family member has been scammed before, take extra care with any language that sounds like a pitch.

Compatibility

  • Prompt-only, works from brief descriptions of the situation.
  • Good companion to scam red flags and wallet safety skills.

Comments

Loading comments...