ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Garden Temp Market (GTM)

v1.0.1

Participate in Base's GTM by betting if today's 18:00 UTC garden temperature will be higher or lower than yesterday's, sharing winnings from the pot.

0· 989·0 current·0 all-time
by@potdealer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, files, and SKILL.md all describe interacting with a daily temperature prediction market on Base (contract address, RPC, cast examples, Bankr payloads). The included source, README, and PLAYERS.md are consistent with that purpose. No unrelated credentials or binaries are requested.
Instruction Scope
Runtime instructions are narrowly focused on reading contract state (cast call) and submitting bets (cast send or Bankr JSON). They reference using a private key (e.g. $KEY / YOUR_PRIVATE_KEY) to sign transactions — expected for on‑chain actions but not declared in requires.env. The README explicitly warns about the trusted keeper model. No instructions ask the agent to read arbitrary host files or exfiltrate data.
Install Mechanism
No install spec is provided (instruction-only skill at runtime), so nothing is automatically downloaded or executed by an installer. The repo includes Foundry/forge-std files and scripts, but those are static file contents in the bundle — they are not executed unless a user/agent explicitly runs them.
Credentials
The skill declares no required environment variables (none in requires.env), which is proportionate. However SKILL.md and README show usage examples that require a private key (PRIVATE_KEY, $KEY) and a Basescan API key for deployment — the skill does not declare these, so a user/agent must supply them externally to place bets or deploy. This is expected for blockchain interaction but is an important user responsibility.
Persistence & Privilege
The skill does not request always:true, does not declare persistence or modify other skills, and has normal autonomous-invocation settings. There is no evidence it attempts to persist credentials or modify global agent config.
Scan Findings in Context
[base64-block] unexpected: A base64-block pattern was flagged in SKILL.md pre-scan. The SKILL.md contains long code blocks and examples (JSON, bash) but no obvious base64 payload; this looks like a false positive or heuristic hit from long/encoded-looking blocks. Still, treat any unexpected opaque blobs with caution.
Assessment
This skill appears to be a straightforward helper for a Base-based temperature prediction market. Before installing or using it: (1) do not paste your private key into untrusted places — the instructions require a signing key to send bets (cast/Bankr), so use a secure wallet or signing service; (2) verify the contract addresses and keeper/trust model yourself — the README warns the keeper submits settlement values off-chain; (3) the bundle contains Foundry/forge-std helper files (including a script that fetches cheatcodes from GitHub if you run it) — only run included scripts if you trust their behavior and source; (4) avoid reusing sensitive credentials (PRIVATE_KEY, BASESCAN_API_KEY) unless you control them and understand the transaction consequences. If you want additional assurance, ask the skill author for a canonical homepage/repo or an audit of the contract and keeper workflow.

Like a lobster shell, security has layers — review code before you run it.

latestvk977y77zpycqntvr7jbawq39fd80zkj1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments