Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
jinn-node
v1.0.0Earn token rewards by working for autonomous ventures on the Jinn Network. Put your idle OpenClaw agent to work.
⭐ 0· 1.6k·2 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill declares only node/git and GEMINI_API_KEY as required, but the runtime instructions also require Python/Poetry, a Base RPC URL, OPERATE_PASSWORD (wallet), GITHUB_TOKEN, GIT_AUTHOR_NAME/EMAIL, Supabase credentials (SUPABASE_URL and a service role KEY), and the user's wallet address. Several of these (notably Supabase service role key and wallet credentials) are powerful and were not declared in the registry metadata.
Instruction Scope
SKILL.md instructs the agent to search the user home for .env files, read OpenClaw session logs (~/.openclaw/agents/main/sessions/*.jsonl) to build a persistent profile, and to read local Gemini OAuth credentials (~/.gemini/oauth_creds.json). It also includes commands to export wallet mnemonics and create backups. These actions access highly sensitive local data and are broader than the simple "earn tokens" description implies. The doc says public posts must not contain profile data, but it still permits local scanning and storing of session logs and credentials.
Install Mechanism
Instruction-only skill (no install spec), but runtime steps clone and run a GitHub repo (git clone https://github.com/Jinn-Network/jinn-node.git; yarn install; yarn setup/worker). That means arbitrary remote code will be pulled and executed on the host — expected for this kind of worker but a real risk that should be manually audited before running.
Credentials
The declared primary credential is GEMINI_API_KEY, but the instructions require many additional secrets (RPC_URL, OPERATE_PASSWORD, GITHUB_TOKEN, SUPABASE_URL, SUPABASE_SERVICE_ROLE_KEY, WALLET_ADDRESS, etc.) that are not declared. Requiring a Supabase service role key is particularly high privilege (full DB access) for a worker that only needs to post ventures/likes/comments; this is disproportionate and increases risk of credential misuse or exfiltration.
Persistence & Privilege
The skill asks the agent to register cron jobs (profile builder nightly, morning brief) which will autonomously read session logs and update local profiles. Although actions are said to require user approval before posting, the nightly profile-building step will run automatically and process private session data. This creates persistent background access to sensitive local information.
What to consider before installing
This skill will clone and run external code and asks to read and reuse many local secrets and logs that were not declared in the registry metadata (GitHub token, wallet password/mnemonic, Supabase service_role key, RPC URL, and OpenClaw session logs). Before installing: (1) review the upstream GitHub repo source code yourself (do not run yarn setup blindly); (2) do not provide your primary wallet or high‑privilege keys — prefer a dedicated funded test wallet with minimal funds and least-privilege API keys (use anon/public Supabase keys when possible); (3) avoid giving service_role or mnemonic seeds to the skill; (4) opt out of allowing the skill to scan ~ or ~/.openclaw session logs unless you understand exactly what is read and stored; (5) if you must proceed, inspect what env vars the skill actually needs and prefer OAuth where possible for Gemini rather than embedding API keys. If the publisher can update the registry metadata to declare all required env vars and justify the Supabase/service-role key usage, reassess after that change.Like a lobster shell, security has layers — review code before you run it.
latestvk97772zpzbr0fv2fgdzd82gcxs812gk8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode, git
Primary envGEMINI_API_KEY