Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Maestro Api
v0.2.4Query Maestro APIs over HTTP using the SIWX + JWT + x402 credit purchase flow. Resolve the exact endpoint from docs.gomaestro.org before requesting or paying.
⭐ 4· 1.7k·1 current·1 all-time
byVarderes@vardominator
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description match the runtime instructions: resolving docs.gomaestro.org, performing unauthenticated requests, doing SIWX authentication, and buying credits via the x402 flow. Asking for a wallet signer and funds is coherent with the stated purpose. Minor concern: the package metadata declares no required environment variables or primary credential even though the SKILL.md explicitly says the agent will need a PRIVATE_KEY or a runtime wallet signer and on-chain funds.
Instruction Scope
SKILL.md is narrowly scoped to resolving an operation page in docs.gomaestro.org, issuing the HTTP request, handling 402/SIWX/JWT flows, and performing the specified payment retry. It does not instruct broad system scanning or exfiltration, and it contains concrete steps (confirm before first paid mainnet request). The instructions do ask the agent to perform signing and to send payment headers and JWTs — exactly what this API requires.
Install Mechanism
No install spec and no code files — instruction-only skill. This reduces disk-write/remote-code risks; there are no external downloads or package installs to review.
Credentials
The functional flow requires a signing capability (PRIVATE_KEY or runtime CDP wallet signer) and on-chain funds (USDC + gas). That is proportionate to making paid Maestro requests, but those are highly sensitive credentials. The skill's metadata lists no required env vars or primary credential, so there's a mismatch between what it will need at runtime and what is declared in the registry. Because the agent will be asked to sign EIP-191 and EIP-712 messages and potentially submit payments, users should not paste long‑term private keys into prompts; a hardware/external signer, ephemeral key, or explicit gating is recommended.
Persistence & Privilege
The skill does not request always:true, has no special OS or install privileges, and does not modify other skills. Model invocation is allowed (normal). Nothing in the files requests persistent agent-level changes.
What to consider before installing
This skill performs real Maestro API calls and may ask you to sign messages and pay on-chain. Before using it: (1) do not paste a long‑term private key into a chat prompt — prefer a hardware or external signer or an ephemeral/test key; (2) demand explicit, human confirmation before any mainnet payment (network, pay_to address, amount in USDC atomic units, and the docs page used); (3) test on a non‑mainnet network first; (4) verify docs.gomaestro.org is the correct official docs URL and confirm the operation page it resolved; (5) consider using a wallet that can produce signatures without exposing raw private key material (browser wallet, HSM, or wallet-connect flow). The skill's registry metadata lacks declared credentials and has no homepage or source, so you should be cautious about trusting it with real funds or private keys.Like a lobster shell, security has layers — review code before you run it.
0.1.3vk972v8wdkd6wwjvnkkyv06gd3s817b130.1.5vk9763cb5s0ey37rkvynpp7v5ch8165sw0.1.6vk970f7rs0xtxgtnsqw9npn1kgd819e9h0.1.7vk97483446ewbybqrxm61b6p2jh81hwpplatestvk97f1ssrj931y0zc1swg8zd5dh82pwfqv0.2.1vk977yvaxc8dgw2ws88z2m3n519826embv0.2.2vk979dmq922nj9mgsd60k7bmy3582kzppv0.2.3vk97251ehhk5vgqyrrgre6js02d82mxfdv0.2.4vk97f1ssrj931y0zc1swg8zd5dh82pwfq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.