ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Deploy Spark Bitcoin L2 Proxy

v1.0.0

Deploy a serverless Spark Bitcoin L2 proxy on Vercel with spending limits, auth, and Redis logging. Use when user wants to set up a new proxy, configure env...

0· 597·0 current·0 all-time
by@echennells
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description (deploy a Spark Bitcoin L2 proxy on Vercel with auth, spending limits, and Redis logging) align with the actions described in SKILL.md: cloning a GitHub repo, installing Node dependencies, creating an Upstash Redis instance, setting Vercel env vars, and deploying. However, the registry metadata states 'Required env vars: none' while the SKILL.md requires multiple environment variables (SPARK_MNEMONIC, UPSTASH_REDIS_REST_URL/TOKEN, API_AUTH_TOKEN, etc.). That metadata omission is inconsistent and should be corrected.
!
Instruction Scope
The runtime instructions direct the operator to handle and provision highly sensitive secrets: the wallet BIP39 mnemonic (controls funds), Upstash credentials, and Vercel tokens / project config. They also instruct cloning and npm installing a third-party GitHub repo (which will pull dependencies). Those actions are coherent with deploying this proxy, but they expand the trust surface significantly: the operator must review the repo and its dependencies because those components will run with access to the mnemonic and tokens. The SKILL.md also prescribes creating credentials via APIs (Upstash, Vercel) — reasonable for deployment but sensitive.
Install Mechanism
This is an instruction-only skill (no install spec), so nothing will be written by the skill itself. The instructions tell the user to git clone https://github.com/echennells/sparkbtcbot-proxy.git and run npm install. That is normal for deploying a Node app, but it means you should audit the repository and its npm dependencies before running them because arbitrary code will be fetched and executed on your machine or deployment target.
!
Credentials
The SKILL.md requires multiple sensitive environment values (SPARK_MNEMONIC, UPSTASH_REDIS_REST_URL and REST_TOKEN, API_AUTH_TOKEN, Vercel token / project/team ids implicitly, plus spending caps). These are proportionate to running a wallet-backed proxy, but they are high-risk secrets. The registry metadata failing to declare these required env vars increases concern: the skill was published without listing the sensitive data it requires. Ensure each secret is strictly necessary and scoped appropriately (use least privilege, limited budgets, and rotate tokens).
Persistence & Privilege
The skill is not marked always:true, has no install script, and does not request persistent platform-level privileges. It does not modify other skills or system-wide agent settings. Deployment will create external resources (Upstash DB, Vercel deployment) but that is expected for this use case.
What to consider before installing
This skill does what it says (deploys a wallet-backed proxy) but it requires handing over highly sensitive secrets — most importantly the wallet mnemonic and cloud/service tokens — and the registry metadata did not list those requirements. Before proceeding: 1) Do not paste your real mnemonic or long-term keys into anything you haven't audited; consider using a throwaway/test mnemonic with minimal funds for initial testing. 2) Review the GitHub repository and its package.json (npm deps) for unexpected code or network calls before running npm install. 3) Limit Upstash and Vercel credential scopes where possible, create least-privilege API keys, and rotate them after setup. 4) Use the proxy's scoped tokens (invoice/admin) and set conservative MAX_TRANSACTION_SATS and DAILY_BUDGET_SATS values. 5) Ask the publisher to fix the registry metadata to enumerate the required env vars and describe exactly what each secret is used for. If you are uncomfortable storing a mnemonic in Vercel envs, consider self-hosting or alternative architectures (read-only endpoints, custodial services, or hardware-based signing).

Like a lobster shell, security has layers — review code before you run it.

latestvk97dn8xjxmm6kynm9yydt0nhh1819jjk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments