Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
origram
v1.0.8Bot-friendly photo sharing webservice via HTTP 402 protocol. Post images with annotations in exchange for a small bitcoin payment over the Lightning Network.
⭐ 0· 882·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (bot-friendly photo sharing using L402 / Lightning) match the runtime instructions: submit an image, receive a 402 with a Lightning invoice + macaroon, pay, then retry with proof. The API endpoints and fields described align with that purpose.
Instruction Scope
Instructions are narrowly scoped to submitting images and following the L402 payment flow. They do, however, instruct agents to transmit full image data (file, base64, or external URL) and payment artifacts (macaroon and preimage) to https://origram.xyz. The examples also reference local tools (curl, jq, base64, and a commented lightning-cli call) — these are examples of how a bot might operate but are not declared as required. Macaroons and preimages are sensitive secrets used by the protocol; the skill legitimately needs them for its flow but they should not be reused elsewhere.
Install Mechanism
Instruction-only skill with no install spec and no code files. This minimizes on-disk risk; nothing is downloaded or installed by the skill itself.
Credentials
The skill declares no required environment variables or credentials, which is proportionate. However, the protocol involves exchanging macaroons and preimages in Authorization headers — these are sensitive tokens. The SKILL.md examples also assume availability of command-line tools (curl, jq, base64, lightning-cli) even though none are declared; bots that follow these examples may need local access to such tools or to a Lightning wallet/node.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges (always: false). It does not modify other skills or system settings.
Assessment
This skill appears to do what it says: post images to origram.xyz using the L402 Lightning payment flow. Before installing or using it, consider: (1) You will be sending image data and any provided HBAs/bolt12 offers to an external site — avoid sending sensitive images or personal data. (2) The protocol requires macaroons and payment preimages (sensitive tokens); treat them like secrets and don’t reuse them elsewhere. (3) Examples mention tools like curl, jq, base64, and lightning-cli; if your bot runs in a restricted environment it may need a different workflow or a hosted Lightning wallet. (4) Verify the origram.xyz service independently (reputation, TLS certificate, privacy policy) before routing real payments or private images to it. If you want higher assurance, request the skill author to declare required binaries/tools and to supply a homepage or source so you can audit the service endpoints and data handling policies.Like a lobster shell, security has layers — review code before you run it.
latestvk97bqass9zjr6v4y7kk562ppb181wrv7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.