ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ZAP1 - Zcash Attestation

v0.2.1

Provides cryptographic attestation for AI actions with Zcash-anchored proofs, policy enforcement, session tracking, and verifiable proof checkpoints.

0· 29·0 current·0 all-time
by@skndrs
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (Zcash attestation, policy enforcement, session tracking) matches the code: the package registers hooks to attest messages/events and exposes tools to query/submit attestation data. The plugin expects a configured apiKey and agentId (via plugin config) for write operations, which is consistent with the stated functionality.
!
Instruction Scope
The runtime hooks automatically hash and POST message contents, channel IDs, sender IDs, session keys and other metadata to an external API (default: https://pay.frontiercompute.io). While the plugin hashes content before sending, hashes of short or predictable inputs can be brute-forced; some endpoints (e.g., memo decode) accept raw hex bodies. SKILL.md suggests obtaining API keys via messaging a third party (Signal) — an unusual operational detail that increases trust requirements. The hooks also inject periodic checkpoint messages into conversations that include links to the remote API.
Install Mechanism
No installer or external binary downloads are declared (instruction-only install path). Source files are included in the package (dist/ and src/). There is a package-lock.json with many (dev) dependencies not visible in package.json (Anthropic/AWS-related entries); that is odd but not an immediate code-execution risk by itself — still worth verifying the lockfile provenance and that no unexpected native modules/binaries are included.
Credentials
The plugin requires an API key and agentId in its plugin config (not environment variables). Those credentials are proportional for a service that writes attestation events. However, some tools (create_api_key, list_webhooks, create_event) appear to perform administrative or write operations — they require a privileged API key. Only provide such a key if you trust the operator or self-host the backend.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide privileges. It registers hooks within the agent runtime (expected for this functionality) and does not appear to mutate other plugins' configurations.
Scan Findings in Context
[pre-scan-injection] expected: No pre-scan injection signals were detected. The plugin nevertheless performs outbound HTTP calls (fetch) to a remote API for attestation, which is expected for this purpose.
What to consider before installing
This plugin will automatically hash and transmit message metadata and some content-derived hashes to an external ZAP1 service (default pay.frontiercompute.io). That behavior matches its attestation purpose but has privacy and trust implications: 1) Only configure the plugin with an API key you control (prefer a key from a self‑hosted ZAP1 instance if possible). 2) Avoid providing a highly privileged API key unless you trust the backend operator; admin tools can create API keys and list webhooks. 3) Be aware that hashed data can sometimes be reversed (short or predictable messages), so do not assume hashing alone preserves privacy. 4) The SKILL.md suggests getting a key via messaging a third party — verify the operator's identity and repository provenance (the SKILL references frontiercompute.io and a GitHub repo; confirm those links actually host the code and maintainers). 5) The package includes a package-lock.json with many extra dev dependencies — verify the published package contents and ensure no unexpected binaries are shipped. If you need this capability but want lower risk, host your own ZAP1 backend and only give the plugin a write key for that instance. If you cannot verify the backend/operator, treat this plugin as potentially leaking metadata and avoid enabling the write hooks.

Like a lobster shell, security has layers — review code before you run it.

latestvk9702vkzdcbkvtr09yph9gw5fx845tdk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments