ClawHub

AuctionClaw

v2.1.0

Route AI tasks through a competitive auction. Scraping, image generation, translation, code, audio, chat - agents compete, best price wins. One skill replace...

1· 110·0 current·0 all-time
bySKWerks 638Labs@skunkwerks2020
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, declared mcp server, and required primaryEnv (STOLABS_API_KEY) align with an integration that routes tasks through 638Labs. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md is instruction-only and stays within auction/routing behavior. It instructs the agent to prompt the user for an API key and save it to ~/.openclaw/.env (writes a secret to the agent's config). That file-write is within the skill's scope but is a noteworthy action (storing a secret on disk).
Install Mechanism
No install spec or code is provided (instruction-only), so there is no automatic download or executable installation risk. Static scanner had no files to analyze.
Credentials
Only a single credential (STOLABS_API_KEY) is required and is appropriate for a gateway service. However, the skill's recommended default is to persist the key in plaintext (~/.openclaw/.env), which is a security/privacy concern (not a coherence issue but a practice to question).
Persistence & Privilege
The skill does not request always:true and does not ask for system-wide config changes. It does instruct storing its own config (~/.openclaw/.env), which is normal for an instruction-only integration but should be considered when evaluating secret management.
Assessment
This skill appears to be what it claims: an auction gateway to 638Labs requiring only a single API key. Before installing: 1) Verify the 638labs endpoints (mcp.638labs.com) and the vendor/site (https://638labs.com) are legitimate for your use. 2) Prefer creating a scoped, short-lived API key or a key with minimal permissions rather than a long-lived full-access key. 3) Avoid or carefully consider saving keys in plaintext (~/.openclaw/.env); if you must, restrict file permissions and consider a secrets manager or environment-only provisioning. 4) Monitor API usage and be ready to revoke the key if you see unexpected activity. 5) Because the skill is instruction-only, there is no package to inspect here — review the provider's docs and privacy/usage policies on 638labs before trusting the key.

Like a lobster shell, security has layers — review code before you run it.

latestvk974ewqpw85ktdjsh4r1aerfk98330w6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSTOLABS_API_KEY
Primary envSTOLABS_API_KEY

Comments