ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Self-hosted Crypto Payment

v1.0.1

Add self-custodied crypto payment checkout to a Next.js + Supabase app. Accepts ETH, BTC, SOL, USDC, USDT and 25+ coins across 9 chains. No payment processor...

1· 28·0 current·0 all-time
by@flacko2048
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's code and SKILL.md align with the stated purpose: it derives HD wallet addresses (EVM/BTC/SOL), creates pending payment records, polls blockchains, and applies payments. Requiring a master mnemonic (CRYPTO_MASTER_MNEMONIC) and a cron secret is consistent with self-custodied payments. However, the registry metadata lists "Required env vars: none" while SKILL.md and the code explicitly require CRYPTO_MASTER_MNEMONIC and CRON_SECRET; that metadata omission is an inconsistency you should not ignore.
Instruction Scope
SKILL.md is explicit: copy server-side files into Next.js routes, install listed npm deps, add CRYPTO_MASTER_MNEMONIC and CRON_SECRET, and configure a cron to hit the protected endpoint. The instructions restrict mnemonic to server-side and explicitly warn not to import wallet code into client components. The instructions do ask the agent to read/write project files (copy templates), which matches allowed-tools and the skill's purpose.
Install Mechanism
There is no automated install spec (instruction-only). The SKILL.md instructs installing standard npm packages (ethers, @scure/*, @solana/web3.js, qrcode). These are expected and proportionate. No arbitrary binary downloads or remote archives are used by the skill itself.
!
Credentials
The code and SKILL.md require two sensitive environment values: CRYPTO_MASTER_MNEMONIC (BIP39 mnemonic controlling all derived deposit addresses) and CRON_SECRET (protecting cron endpoint). Those are proportionate to the functionality but extremely high-value secrets. The registry metadata incorrectly reported 'none' for required env vars — a potentially dangerous omission. Also the skill relies on your Supabase server-side client configuration (service role/keys) but does not explicitly list any Supabase service role env vars; ensure your existing server helpers are already correctly configured.
Persistence & Privilege
The skill does not request always:true and is user-invocable. It requires file read/write/edit permissions to copy templates into your repo — that's expected for a code scaffolding skill. It does not attempt to modify other skills or system-wide agent configuration. No persistent autonomous privileges beyond normal skill behavior are requested.
What to consider before installing
Key points to review before installing: - This is true self-custody: CRYPTO_MASTER_MNEMONIC controls all derived deposit wallets. If compromised you lose funds. Use a secure secrets manager (Vercel/AWS/etc.), not a checked-in .env file. Prefer a dedicated hot wallet with minimal funds for day-to-day payments; consider a multisig or sweep strategy for long-term storage. - The skill's registry metadata omitted required env vars. Do not trust the registry summary — follow SKILL.md and the code which require CRYPTO_MASTER_MNEMONIC and CRON_SECRET. - Ensure CRON_SECRET is strong and stored in hosting cron config so the cron request includes Authorization: Bearer <CRON_SECRET>. Confirm timingSafeEqual usage is actually comparing fixed-length buffers (the code does this), but test cron auth in a staging environment. - The skill assumes you have a working server-side Supabase service client helper; verify your service role keys and RLS policies are correct and no mnemonic or private keys are exposed to client bundles. Do not import crypto-wallets.ts into client code. - Audit the copied server files (resources/*.ts) yourself before deploying, and test on testnets first. Verify the RPC endpoints hard-coded in the code are acceptable for your needs (they are public RPC endpoints) and consider replacing with paid/private RPC providers if you need higher reliability. - Consider operational risks: address reuse prevention, DB backups, expiry windows, edge cases for token decimals and chain reorganizations, and legal/compliance implications of accepting crypto in your jurisdiction. - If you want stronger assurance, ask the publisher for provenance (homepage, source repo) and a security review; lack of a homepage/source in the registry metadata reduces traceability.
resources/check-crypto-payments-route.ts:20
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fx4sjwhwn5ewnhmz7nma33d84bcys

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments