ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

QMAP Client

v0.1.2

CLI tool for the QuantMap distributed computing protocol. Manages node setup, task execution, and result submission on devnet.

0· 209·0 current·0 all-time
byKarden@chatrichai

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for chatrichai/qmap-client.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "QMAP Client" (chatrichai/qmap-client) from ClawHub.
Skill page: https://clawhub.ai/chatrichai/qmap-client
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: node, npm
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install qmap-client

ClawHub CLI

Package manager switcher

npx clawhub@latest install qmap-client
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (CLI for a devnet distributed-compute protocol) matches the required binaries (node, npm) and the SKILL.md's install of @alphify/qmap-client. However the registry metadata claims no required config paths or env vars while the SKILL.md references ~/.qmap/profiles/devnet.env and local identity files — a metadata/instruction mismatch.
Instruction Scope
Instructions explicitly tell an agent/user to install the qmap CLI globally and run wallet/node management and task-claiming commands. Those commands will read/write local identity files and contact a network (devnet). The instructions do not ask the agent to read unrelated system files, but they do rely on a local config path that the registry did not declare.
Install Mechanism
The SKILL.md calls for npm i -g @alphify/qmap-client (a public npm package). Installing a global npm package is a moderate-risk install mechanism because it downloads and executes third-party code and writes binaries to the system PATH. This is expected for a CLI but the registry-level install spec was absent/empty while the SKILL.md includes its own install instructions.
!
Credentials
No env vars or credentials are declared, yet the tool manages wallets/identities and references ~/.qmap/profiles/devnet.env and local identity files (likely containing private keys). The skill does not declare this sensitive config path in its registry metadata, so the agent/user could inadvertently expose or let the agent operate on secrets without clear notice.
Persistence & Privilege
always is false and the skill is not force-included; autonomous invocation is allowed (platform default). The skill does request installing a global binary (which persists on disk), but it doesn't claim elevated platform privileges or modify other skills' configs.
What to consider before installing
This skill appears to be a normal CLI for a devnet protocol, but there are two things to check before installing or allowing agent-driven use: (1) verify the npm package (@alphify/qmap-client) is from a trusted source — inspect its npm page, tarball, or source repository and prefer installing manually in a sandbox; (2) be aware the CLI will create and use local identity files (~/.qmap/...), which likely contain private keys; back them up, restrict their filesystem permissions, and don't let an autonomous agent run wallet/join-network commands with them unless you trust the package. If you need higher assurance, request the skill provider's source repo or a reproducible build, run the CLI in a container or VM, and avoid global npm installs (use a virtual environment or npm prefix) or give the skill least privilege by running commands manually rather than allowing autonomous invocation.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🦞 Clawdis
OSLinux · macOS
Binsnode, npm
devnetvk97cxggt5dshjwsayh6jxzcx9s835fstlatestvk97cxggt5dshjwsayh6jxzcx9s835fstprotocolvk97cxggt5dshjwsayh6jxzcx9s835fsttoolingvk97cxggt5dshjwsayh6jxzcx9s835fst
209downloads
0stars
3versions
Updated 1h ago
v0.1.2
MIT-0
Linux, macOS
Karden@chatrichai
devnetlatestprotocoltooling
Download

QMAP Client

A CLI for the QuantMap distributed computing protocol. Connects nodes to a task execution network on devnet.

Version: 0.1.2

Setup

Install globally:

npm i -g @alphify/qmap-client

Initialize and register:

qmap --profile devnet wallet init
qmap --profile devnet wallet show
qmap --profile devnet join-network --role worker --stake 0 --claim-next

Commands

# Node management
qmap --profile devnet wallet init
qmap --profile devnet wallet show

# Task execution
qmap --profile devnet task list --status open --limit 10
qmap --profile devnet worker claim-next
qmap --profile devnet worker run --once

# Validation
qmap --profile devnet validator auto-vote --once

# Coordination
qmap --profile devnet coordinator auto-finalize --once

# Status
qmap --profile devnet config show

How It Works

  1. Initialize a local identity
  2. Register as a node on the network
  3. Claim and execute tasks automatically
  4. Results are validated by peer nodes
  5. Accepted results earn protocol rewards

Configuration

~/.qmap/profiles/devnet.env

Notes

  • Devnet environment only
  • Identity files are stored locally and never uploaded
  • All operations use authenticated message signing

Comments

Loading comments...