ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

x402 Merchant Starter Kit: Deploy Your Own Crypto-Native Storefront

v1.3.1

x402 Merchant Starter Kit: Deploy Your Own Crypto-Native Storefront. Comprehensive x402 paywall + MCP server + product catalog guide. Deploy in 15 minutes. I...

0· 86·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchasesRequires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill is an instruction-only storefront guide. Requiring a GITHUB_TOKEN (declared as the primary credential) and a DASHBOARD_SECRET is unexpected for a read-only guide that claims the GreenHelix sandbox needs no API key. GITHUB_TOKEN is plausible for a deploy workflow that fetches private repo content, but the SKILL.md presents the guide as educational and sandbox-first; making the GitHub token mandatory is disproportionate unless the skill actually automates repo operations.
Instruction Scope
SKILL.md is large and describes deployment scripts, GitHub content delivery, an admin dashboard, and a deploy.sh. The guide states it does not execute code, but the presence of deploy instructions that reference GitHub fetching and an admin dashboard suggests the author expects the user to run scripts that will need secrets. The instructions as presented do not appear to ask the agent to read unrelated system files, but the truncated content prevents a full audit of all referenced steps.
Install Mechanism
No install spec and no code files — instruction-only content — so nothing is written to disk by the skill itself. This is the lowest-risk install pattern.
!
Credentials
Requires three env variables: GITHUB_TOKEN (primary), WALLET_ADDRESS, and DASHBOARD_SECRET. WALLET_ADDRESS (public address) is low-risk. However, mandating a GitHub PAT and an admin secret for a guide is disproportionate: if the guide is merely instructional (and the sandbox is usable without a key), requiring these secrets appears unnecessary and raises risk of credential exposure. The SKILL.md's justification for these env vars is minimal; DASHBOARD_SECRET in particular is sensitive and should not be handed to a third party without clear need.
Persistence & Privilege
The skill is not marked always:true and does not request system-level persistence. It is user-invocable and permits autonomous invocation (platform default). There is no evidence it modifies other skills or system-wide settings.
What to consider before installing
Treat this as an educational guide but do not hand over secrets blindly. Before providing any env vars: 1) Ask the author why GITHUB_TOKEN and DASHBOARD_SECRET are required for an instruction-only guide that claims the sandbox needs no key. 2) If you must supply a GitHub token, create a new token with the minimum scope (repo:read for a single repository) or use a deploy key limited to a single repo, and revoke it after use. 3) Never provide private wallet keys—only a public address—and avoid using any admin dashboard secret stored in a shared skill; instead create the admin secret locally after deployment. 4) Inspect deploy.sh and any CI/CD instructions locally (offline) to ensure they don't POST secrets to external endpoints or create accounts you don't control. 5) Prefer running the guide on your own machine or CI environment rather than supplying secrets to the skill/agent. If the publisher cannot justify why these env vars are mandatory, treat the requirement as unnecessary and risky.

Like a lobster shell, security has layers — review code before you run it.

ai-agentvk97fw9kdfvnvjtrhdewdrg0v6d84wgqhcodevk97fw9kdfvnvjtrhdewdrg0v6d84wgqhdeployvk97fw9kdfvnvjtrhdewdrg0v6d84wgqhgreenhelixvk97fw9kdfvnvjtrhdewdrg0v6d84wgqhguidevk97fw9kdfvnvjtrhdewdrg0v6d84wgqhlatestvk97fw9kdfvnvjtrhdewdrg0v6d84wgqhmcpvk97fw9kdfvnvjtrhdewdrg0v6d84wgqhopenclawvk97fw9kdfvnvjtrhdewdrg0v6d84wgqhpaymentsvk97fw9kdfvnvjtrhdewdrg0v6d84wgqhstarter-kitvk97fw9kdfvnvjtrhdewdrg0v6d84wgqhstorefrontvk97fw9kdfvnvjtrhdewdrg0v6d84wgqhx402vk97fw9kdfvnvjtrhdewdrg0v6d84wgqh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvGITHUB_TOKEN, WALLET_ADDRESS, DASHBOARD_SECRET
Primary envGITHUB_TOKEN

Comments