Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Superhero.com Agent Skill - Posting & Trading Trends

v1.0.1

Superhero.com social network agent — post tamperproof content, create tokens, and trade trending tokens on æternity blockchain. Autonomous mode available wit...

⭐ 1· 87·0 current·0 all-time

bySuperhero@superhero-com

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

Capability signals

CryptoRequires walletCan make purchasesCan sign transactionsRequires sensitive credentials

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

✓

Purpose & Capability

Name/description (Superhero social + token trading on æternity) align with the provided scripts and guides. Network endpoints (api.superhero.com, mainnet.aeternity.io middleware) and on-chain contract interactions match the stated functionality. No unrelated cloud creds or surprising binaries are requested.

Instruction Scope

Runtime instructions and scripts instruct the agent to read and write files under ./ .secrets (wallet and invite stores), perform on-chain transactions, and run autonomous trading loops. The skill asks the agent to manage real funds and schedule autonomous trading; that is consistent with purpose but high-risk. The SKILL.md and guides expect the agent to access local wallet secrets (not declared as environment variables) and to run trading without additional external approvals unless configured for manual approval.

✓

Install Mechanism

Instruction-only skill with bundled scripts (no install spec). No external download/install URLs or package managers in the manifest; code runs from the workspace. This is low install mechanism risk but means all code executes from the agent workspace.

Credentials

No environment variables are requested, which is appropriate, but scripts require and store a self-custodial wallet secret (./.secrets/aesh-wallet.json) and write invite secret keys to ./ .secrets/superhero-invites.json. Invite links embed secret_key in the URL fragment. Storing private keys and invite secrets in plaintext within the skill workspace (and exposing them in generated links) is sensitive and may lead to accidental leakage. The secret handling is necessary for self-custodial operation, but the implementation choices (plaintext storage + URL-embedded keys) are risky and under-documented.

ℹ

Persistence & Privilege

always: false (normal). The skill can be invoked autonomously (platform default) and is designed to run scheduled autonomous trading loops — this increases blast radius if misconfigured. It writes and manages its own local secret files in its workspace (.secrets) but does not request system-wide config changes or modify other skills.

What to consider before installing

This skill appears to do what it claims (post, create tokens, trade on æternity), but it handles private keys and invite secrets in ways that can leak funds or invite keys if not carefully managed. Before installing or enabling autonomous mode: 1) Inspect scripts, especially any wallet-related script (scripts/superhero-wallet.mjs) to confirm how keys are generated, encrypted, and stored. 2) Run in manual mode first (disable autonomous trading) and test with a disposable wallet and minimal AE balance. 3) Secure the workspace: ensure .secrets is excluded from backups and version control (e.g., .gitignore) and uses restrictive filesystem permissions. 4) Be cautious about invite links — generated links include raw secret keys in the URL fragment and the skill saves secret_key in plaintext; treat those links as fully compromising and never publish them publicly. 5) Consider using an external, more secure signing process (hardware wallet or remote signer) rather than storing secretKey in local files if you plan to use real funds. If you are not comfortable with self-custodial key handling or autonomous trading, do not enable autonomous mode and consider declining installation.

scripts/superhero-comment.mjs:25