ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Hedera Transaction Builder

v1.0.0

Build, sign, and submit Hedera transactions including HBAR transfers, token operations, and smart contract calls to the Hedera network.

0· 702·0 current·0 all-time
by@harleyscodes
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (build, sign, submit Hedera transactions) aligns with the SDK usage shown, but the registry metadata declares no required credentials or config while the instructions implicitly require access to a signing key (operatorKey or a wallet like HashPack). Requiring no credentials is not coherent with a transaction-signing tool.
!
Instruction Scope
SKILL.md instructs installing @hashgraph/sdk and shows code that signs transactions with an operator key or HashPack, but it does not specify how keys are loaded (env vars, key files, wallet flow). Because it omits safe key-handling guidance, users might be prompted to paste private keys or expose credentials to the agent — the instructions are incomplete and risk-prone.
Install Mechanism
There is no formal install spec in the skill bundle; SKILL.md tells the user to run `npm install @hashgraph/sdk`. Installing the official npm package is expected for this purpose, but the absence of an install specification in the registry (and no pinned version or integrity guidance) reduces clarity and reproducibility.
!
Credentials
The skill declares no required environment variables or primary credential even though signing and submitting transactions requires private keys or a wallet connection. This under-declaration is disproportionate and increases the chance of insecure key handling. The listed network endpoints are external but expected for Hedera.
Persistence & Privilege
The skill does not request always:true and does not ask to modify other skills or system-wide settings. It appears not to require persistent elevated privileges.
What to consider before installing
This skill appears to be a helper for building Hedera transactions, but it doesn't tell you how to provide signing keys safely. Before installing or using it: (1) don't paste private keys into chat or into an agent — prefer connecting a wallet (e.g., HashPack) or setting keys in a secure environment variable/file on your machine; (2) run `npm install @hashgraph/sdk` yourself in a controlled environment and review the package/version you're installing; (3) verify the network endpoints and prefer official Hedera endpoints/documentation; (4) ask the skill author to declare required env vars (e.g., HEDERA_OPERATOR_ID, HEDERA_OPERATOR_KEY), provide secure key-handling instructions, and supply a homepage or source so you can audit code. If the skill is updated to explicitly declare required credentials and safe signing flows (wallet integration or clear operator setOperator guidance) and includes a source/homepage, the coherence concerns would be reduced.

Like a lobster shell, security has layers — review code before you run it.

latestvk974s22gr38217etqmy5sy38zh814hmr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments