Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Skill
v1.0.2Use when the user asks to create, generate, build, audit, fix, compile, or look up smart contracts and tokens. Pentagonal Clawd is a sovereign smart contract...
⭐ 0· 54·0 current·0 all-time
byAchilles@achilles1089
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description claim a full smart-contract forge (generate, audit, fix, compile, deploy) and the SKILL.md documents those flows. However, in the absence of the referenced MCP tools the direct (Mode B) API only supports token lookups; generation/audit/fix/compile require MCP tool availability or a Pentagonal account. The manifest declares no required credentials, which is inconsistent with features that require an API key or account.
Instruction Scope
The instructions tell the agent to call pentagonal.ai endpoints (curl) and include example commands that reference environment variables (e.g., $PENTAGONAL_API_KEY, $PRIVATE_KEY, etherscan API key). The skill manifest did not declare these env vars. The skill also provides deployment commands that use a private key (examples show $PRIVATE_KEY). The agent instructions therefore reference and could cause access to sensitive secrets that were not declared in the skill metadata.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing is written to disk or downloaded during install. That reduces installer risk.
Credentials
The SKILL.md references sensitive environment variables and API keys (PENTAGONAL_API_KEY, PRIVATE_KEY, etherscan API key) but the manifest lists no required env vars or primary credential. Requesting or referencing private keys and API keys without declaring them is disproportionate and may cause accidental exposure if the agent has access to environment secrets.
Persistence & Privilege
The skill is not always:true and has no install step that modifies agent configuration. Model invocation is allowed (default) which is expected for skills; there is no elevated persistence requested.
What to consider before installing
Before installing, verify the vendor and hosting (pentagonal.ai) and ask the publisher for a homepage or source repo. Note that many of the skill's advanced features only work if the platform exposes MCP tools — otherwise Mode B only does token lookups. Do NOT place private keys or broad API keys in an agent-wide environment; if you must use an API key, prefer a key with minimal privileges and store it outside the agent environment or use short-lived credentials. Ask the publisher to update the manifest to declare required env vars (PENTAGONAL_API_KEY etc.) and to explain what the agent will do if those values exist. Finally, always review generated contract source code and audit results yourself before running any deployment commands that use private keys or RPC endpoints.Like a lobster shell, security has layers — review code before you run it.
latestvk9799dehx096n6yzyjaqm7srrx84s7d9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.