ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

EU AI Act Compliance for Autonomous Agents

v1.3.1

EU AI Act Compliance for Autonomous Agents. Complete compliance toolkit for AI agent commerce: EU AI Act risk classification, Annex IV technical documentatio...

0· 92·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchasesRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to be an educational compliance guide with working code and templates for agent commerce using the GreenHelix A2A Commerce Gateway. Requesting a GreenHelix API key and an agent signing key is consistent with demonstrating live integration and signed audit trails, but the SKILL.md contains contradictory statements (it first says the sandbox requires no API key, then later says every code example runs against the production endpoint). That inconsistency reduces trust.
!
Instruction Scope
This is an instruction-only skill whose content (per the excerpts) includes working code examples that 'run against the production endpoint' and uses the GreenHelix API. As-written, the guide could instruct an agent to read the declared environment variables and make network calls to external production services, and to sign requests with a private key. Those instructions go beyond a passive guide and could cause real actions if the agent is allowed to execute them with provided credentials.
Install Mechanism
No install spec and no code files are present, so nothing will be written to disk by an installer. This minimizes supply-chain risk compared with downloadable executables or packages.
!
Credentials
Only two env vars are requested (GREENHELIX_API_KEY and AGENT_SIGNING_KEY), which is reasonable for integrating with a gateway and producing signed audit trails. However, AGENT_SIGNING_KEY is a sensitive private key and GREENHELIX_API_KEY may grant write access; combined with explicit statements that code examples hit production, requiring these secrets is higher risk. The skill metadata declares them, but the SKILL.md also inconsistently references a sandbox that 'no API key required'—this contradiction increases the chance a user will supply production credentials unintentionally.
Persistence & Privilege
always is false and there is no install behavior that modifies agent config or other skills. The skill does not request persistent platform privileges beyond standard autonomous invocation.
What to consider before installing
This guide may be useful, but exercise caution before providing secrets. Do not set your production GREENHELIX_API_KEY or private AGENT_SIGNING_KEY in any agent or environment used by third-party skills unless you fully trust the skill author and have verified where requests will be sent. Ask the publisher to clarify whether examples use the sandbox or production, and request examples be re-targeted to a local/test sandbox by default. If you try it, use ephemeral/test credentials, limit API key scopes, rotate keys afterward, and review the full SKILL.md for any instructions that perform network calls or send keys to external endpoints. Because this is instruction-only, the biggest risk is accidental credential use or exfiltration — confirm behavior in writing from the author before supplying sensitive keys.

Like a lobster shell, security has layers — review code before you run it.

ai-agentvk9791x4tdzzq8tsgzsgzpqn6qx84wfhxaudit-trailvk9791x4tdzzq8tsgzsgzpqn6qx84wfhxcompliancevk9791x4tdzzq8tsgzsgzpqn6qx84wfhxcontractsvk9791x4tdzzq8tsgzsgzpqn6qx84wfhxescrowvk9791x4tdzzq8tsgzsgzpqn6qx84wfhxeu-ai-actvk9791x4tdzzq8tsgzsgzpqn6qx84wfhxgdprvk9791x4tdzzq8tsgzsgzpqn6qx84wfhxgreenhelixvk9791x4tdzzq8tsgzsgzpqn6qx84wfhxguidevk9791x4tdzzq8tsgzsgzpqn6qx84wfhxlatestvk9791x4tdzzq8tsgzsgzpqn6qx84wfhxliabilityvk9791x4tdzzq8tsgzsgzpqn6qx84wfhxopenclawvk9791x4tdzzq8tsgzsgzpqn6qx84wfhx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvGREENHELIX_API_KEY, AGENT_SIGNING_KEY
Primary envGREENHELIX_API_KEY

Comments