ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

kog

v1.0.0

Use Kogaion launchpad and playground for Moltbook agents. Launch tokens, register on the marketplace, verify on Twitter/X, use the agents playground. Use when working with Kogaion, kogaion.fun, launchpad, token launch, or Moltbook agents.

0· 1.5k·0 current·0 all-time
by@kodesweb3-lab
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is an API/reference document for kogaion.fun (launchpad, marketplace, Twitter/X verification, token flows). Nothing in the package requests unrelated binaries, environment variables, or config paths — the declared purpose aligns with the contained endpoints and flows.
Instruction Scope
SKILL.md is an API reference describing endpoints and end-to-end flows (image upload, metadata upload, create-pool-transaction, send-transaction, marketplace registration, Twitter/X verification). It does not instruct the agent to read system files or environment variables. However, several flows explicitly require signing Solana transactions with the mint and user wallet keypairs — this creates a realistic risk that an agent or a poorly-written integration could ask the user to provide private keys or perform insecure signing. The document itself does not tell the agent to exfiltrate keys, but the described flows could be misused if private keys are supplied insecurely.
Install Mechanism
No install spec and no code files are present. Instruction-only skills have minimal footprint; nothing is written to disk or fetched during install.
Credentials
The skill declares no required environment variables or credentials, which is consistent with being a reference. The only implicit credential-related requirement is that Solana transactions must be signed by private key material (mint and user wallet). Because no credential fields are requested, responsibility for signing is left to the integrator/user — this is coherent but worth caution: do not paste private keys into the agent or into untrusted endpoints; prefer offline or hardware signing.
Persistence & Privilege
always is false; the skill is not requesting forced presence or elevated privileges. It does not modify other skill configs or request system-wide settings.
Assessment
This skill is an API reference for the Kogaion launchpad and appears internally consistent. Before installing or using it: (1) Verify the domain (https://kogaion.fun) independently — API docs alone don't guarantee trustworthiness. (2) Never paste private keys into chat or the skill; the create-pool flow requires signed Solana transactions, so use offline signing or a hardware wallet and only send signed transactions, not raw private keys. (3) If the agent asks to post on Twitter/X, ensure you authorize it with your own OAuth tokens via a trusted UI — don’t share account passwords. (4) Review any transaction payload returned by the API before signing to avoid signing malicious instructions. If you cannot verify the service or you’re uncomfortable with signing flows, avoid using the skill for production funds.

Like a lobster shell, security has layers — review code before you run it.

latestvk9711awnqzdxxzrqt9m1phe24980b6f9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments