ClawHub

OpenServ Client

v1.0.4

Complete guide to using @openserv-labs/client for managing agents, workflows, triggers, and tasks on the OpenServ Platform. Covers provisioning, authenticati...

0· 1.1k·4 current·4 all-time
by@issa-me-sush
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and SKILL.md align: this is a client for the OpenServ platform (provisioning agents, triggers, workflows, x402 payments, ERC-8004). Example code and API reference are consistent with that purpose. However, the registry metadata declares no required environment variables or credentials while the instructions repeatedly rely on WALLET_PRIVATE_KEY, OPENSERV_API_KEY, and OPENSERV_AUTH_TOKEN (and describe writing them to disk). That metadata omission is an inconsistency.
!
Instruction Scope
Runtime instructions (and examples) instruct the agent/app to create or reuse an Ethereum wallet, authenticate using WALLET_PRIVATE_KEY, persist state to .openserv.json, and (per troubleshooting) write WALLET_PRIVATE_KEY / OPENSERV_* values into .env. Examples also print webhook tokens and API keys to stdout. These actions read/write sensitive secrets and local state and will transmit/propagate credentials to the platform—behavior that is outside a harmless 'reference guide' scope and should be explicitly disclosed.
Install Mechanism
This is instruction-only with recommended npm install of the package (@openserv-labs/client). There is no install spec that downloads arbitrary archives or runs remote installers, so installation risk is low-probability from the skill bundle itself. Example code is included but no build/install steps are embedded that modify system binaries.
!
Credentials
The SKILL.md and examples require and manipulate sensitive environment variables (WALLET_PRIVATE_KEY, OPENSERV_API_KEY, OPENSERV_AUTH_TOKEN) yet the skill metadata lists none. The instructions even describe provision() writing private keys to .env—storing private keys in plaintext files is high-risk and should be treated as a significant privilege. The number and sensitivity of env interactions are proportionate to a platform client, but the lack of explicit declaration and the advice to persist secrets are concerning.
Persistence & Privilege
The skill does not request 'always: true' and does not change other skills' configs, but it explicitly persists local state (.openserv.json and .env) and can create/delete platform resources (examples include a cleanup script with --all). Autonomous invocation is allowed (default), which combined with secret persistence means a compromised or misused agent could act against the platform or leak credentials—this is expected for a client but important to be aware of.
Scan Findings in Context
[system-prompt-override] unexpected: A prompt-injection pattern was detected in SKILL.md. The client documentation doesn't need to override system prompts; this may be an artifact or an attempt to manipulate agent/system behavior. Treat the presence of such patterns as suspicious and review the SKILL.md and examples for hidden instructions or phrasing that could instruct an embedding agent to change its own system messages.
What to consider before installing
This package appears to be a genuine platform client, but there are a few red flags you should consider before installing or running it: 1) Metadata omission: the registry entry lists no required environment variables, yet the documentation and examples use WALLET_PRIVATE_KEY, OPENSERV_API_KEY and OPENSERV_AUTH_TOKEN. Assume these secrets are required. 2) Secrets handling: provision() and troubleshooting describe writing private keys to .env and persisting .openserv.json—storing private keys in plaintext files is risky. Review the code paths that write files and consider keeping keys in a secure vault instead. 3) Token leakage: example scripts print webhook tokens and API keys to stdout; avoid running examples in shared logs or CI without sanitization. 4) Destructive actions: the cleanup example can delete all platform resources; be cautious with --all and run in a controlled account. 5) Origin unknown + prompt-injection signal: the source/homepage is unknown and a prompt-injection pattern was detected in SKILL.md—verify package provenance (official registry, maintainer contact, code signatures) before trusting it. Recommended actions: inspect the actual library code (not just docs) for where it writes .env/.openserv.json and for any network endpoints it calls; run examples in an isolated environment with throwaway credentials; if you need to use it in production, prefer manually managing credentials (do not permit provision() to persist your private key) and consider using hardware or vault-backed wallet signing.

Like a lobster shell, security has layers — review code before you run it.

latestvk977f79azj5af92y3937vwr78h819n0v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments