ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Commerce Migration Guide: Retrofit Your REST APIs for Autonomous Agent Buyers

v1.2.0

Agent Commerce Migration Guide: Retrofit Your REST APIs for Autonomous Agent Buyers. Step-by-step migration guide for teams with existing REST APIs that need...

0· 39·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchasesRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description match the content: retrofitting REST APIs with payment headers, gateway integration, and signing keys is exactly what such a migration guide would discuss. The credentials referenced in the guide (an API key for a payment/escrow gateway and an agent signing key) are plausible for the stated purpose.
Instruction Scope
This is an instruction-only guide (non-executable). The provided content appears to stay within migration-related topics (assessment, adapters, middleware, testing, rollback). However the SKILL.md explicitly references handling of an Ed25519 signing key and gateway API key — sensitive operations. The truncated content prevents full review; confirm the guide does not instruct the agent or the platform to transmit private keys or to read arbitrary system files or environment variables outside those two credentials.
Install Mechanism
No install spec and no code files are present; nothing will be written to disk or executed by the skill itself. This is the lowest-risk install posture for an instructional guide.
!
Credentials
Registry metadata lists no required env vars, but the SKILL.md contains a credentials header naming GREENHELIX_API_KEY and AGENT_SIGNING_KEY. That mismatch is an incoherence in declared requirements. Additionally, AGENT_SIGNING_KEY is a private cryptographic key — sensitive by nature. While these credentials are relevant to the guide's subject, you should not supply private keys or production API keys to a third party or paste them into the platform without knowing exactly how they'll be used and stored.
Persistence & Privilege
always is false and the skill is non-executable and instruction-only. It does not request persistent presence or modify other skills or system-wide agent settings.
What to consider before installing
This guide appears to cover exactly what it claims (adding per-call commerce, signing, and gateway integration), but it references two sensitive credentials inside SKILL.md even though the registry metadata lists none — that's the main red flag. Before installing or using the skill: 1) Do not paste production private keys or API keys into the skill UI or chat. Prefer testing with ephemeral or dev keys. 2) Confirm whether the platform or skill will ever receive or store your GREENHELIX_API_KEY or AGENT_SIGNING_KEY; if unsure, run the guide locally instead of giving keys to the platform. 3) Ask the maintainer (or inspect the full SKILL.md) whether any guidance instructs the agent to transmit environment variables, read arbitrary files (e.g., ~/.ssh, /etc/*), or call endpoints beyond your own API and the named gateway. 4) If you will implement the changes, follow least-privilege for gateway keys, keep signing keys offline where possible, and rotate keys used for testing. If you want, provide the full (untruncated) SKILL.md and I can re-check for any instructions that attempt to exfiltrate secrets or access unrelated system state.

Like a lobster shell, security has layers — review code before you run it.

ai-agentvk977s8xfy6njbx53swqrkv3b0184s217greenhelixvk977s8xfy6njbx53swqrkv3b0184s217guidevk977s8xfy6njbx53swqrkv3b0184s217latestvk977s8xfy6njbx53swqrkv3b0184s217migrationvk977s8xfy6njbx53swqrkv3b0184s217openclawvk977s8xfy6njbx53swqrkv3b0184s217rest-apivk977s8xfy6njbx53swqrkv3b0184s217retrofitvk977s8xfy6njbx53swqrkv3b0184s217x402vk977s8xfy6njbx53swqrkv3b0184s217

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments