ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

xpr-xmd

v0.2.11

Interact with Metal Dollar (XMD) stablecoin to mint, redeem, check supply, collateral reserves, and oracle prices with zero fees and multi-collateral support.

2· 685·1 current·1 all-time
by@paulgnz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill implements read-only RPC helpers and write tools that sign transactions using a user's XPR private key — this capability matches the described mint/redeem functionality. However, the skill.json manifest declares no required env vars (requires.env is empty) while src/index.ts clearly expects XPR_PRIVATE_KEY, XPR_ACCOUNT, and XPR_PERMISSION. The absence of declared credentials in the manifest is inconsistent and surprising for users.
!
Instruction Scope
SKILL.md documents read-only tools and notes that write tools require confirmation, but it does not document the need to provide a private key/account via environment variables. The code reads process.env.XPR_PRIVATE_KEY and process.env.XPR_ACCOUNT directly for signing; this access to sensitive secrets is not described in the runtime instructions, which is scope mismatch and a user-notice problem.
Install Mechanism
There is no install spec (instruction-only), which reduces install risk. The runtime code dynamically imports '@proton/js' for signing — a legitimate dependency for EOS/Proton-style transaction signing — but no dependency/install information is declared in the manifest. This may cause runtime failures or hidden dependency pulls if the environment attempts to install packages automatically.
!
Credentials
The code requires highly sensitive environment variables (XPR_PRIVATE_KEY and XPR_ACCOUNT) for write operations. That is proportionate to the claimed write capability (signing on-chain), but the skill fails to declare these requirements in skill.json and SKILL.md. Not declaring sensitive credentials is a serious transparency issue: a user could unintentionally provide a key without realizing which skill will use it, or fail to realize the risk of granting signing capability.
Persistence & Privilege
The skill is not force-included (always: false) and does not attempt to modify other skills or system-wide settings. Autonomous invocation is enabled by default (disable-model-invocation: false) but this is normal; no elevated permanence or cross-skill modifications are present.
Scan Findings in Context
[process_env_private_key_access] unexpected: src/index.ts reads process.env.XPR_PRIVATE_KEY and process.env.XPR_ACCOUNT to create a signing session. Requesting a private key is expected for on-chain write operations, but the skill manifest does not declare these env vars, so the access is not documented in metadata or SKILL.md.
[dynamic_import_proton_js] expected: The code dynamically imports '@proton/js' to construct a JsonRpc/Api and JsSignatureProvider for signing transactions. This dependency is expected for the described write (mint/redeem) functionality, but the package/dependency is not declared in an install spec or manifest.
What to consider before installing
This skill provides read-only analytics and also supports mint/redeem operations that require signing with your XPR private key. Before installing or enabling write actions: 1) Treat XPR_PRIVATE_KEY as extremely sensitive — only supply it if you fully trust the skill and its author. 2) Ask the maintainer to update skill.json and SKILL.md to explicitly list required env vars (XPR_PRIVATE_KEY, XPR_ACCOUNT, XPR_PERMISSION) and describe when they are used. 3) If you only need read-only data, avoid supplying any private key and use the read tools; consider running the included test-read.mjs in an isolated environment to verify read-only behavior. 4) Prefer using a separate account or a key with limited permissions (if possible) for signing, and review the code locally to confirm there are no unexpected network endpoints or exfiltration logic. 5) If you cannot confirm the origin/trustworthiness of the owner (owner id: kn7fkc3h30sk93cx039q57pqj5812pkc, source unknown), avoid providing credentials and treat the skill as untrusted for write operations.

Like a lobster shell, security has layers — review code before you run it.

latestvk976xj0p9se14hfgvzbf76y4yx81311d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments