ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

cpbox-answers

v1.0.0

USE FOR AI-grounded answers via OpenAI-compatible /chat/completions. Two modes: single-search (fast) or deep research (enable_research=true, thorough multi-s...

2· 67·0 current·0 all-time
byspringmint@sprintmint
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (AI-grounded answers) match the instructions: the SKILL.md documents OpenAI-compatible chat completion calls to https://www.cpbox.io and a payment flow. Required resources (none declared) are proportional to this purpose.
Instruction Scope
Instructions direct the agent to send user prompts and metadata to external endpoints (cpbox.io and cppay.finance) and to perform an EIP-712 payment signature flow. This is coherent for a paid API, but it does mean user prompts and any included context will be transmitted to third parties. The SKILL.md references a local README prerequisite that isn't included with the skill bundle.
Install Mechanism
No install spec or code is present (instruction-only), so nothing is written to disk by the skill. The doc suggests using npx @springmint/x402-payment (a third-party npm package) to automate payments — that is an external action the operator would run, but it is optional and not enforced by the skill.
Credentials
The skill declares no required env vars or credentials. However, the payment flow requires signing (EIP-712) with a wallet/private key at runtime; the SKILL.md assumes the client can perform signing (or use the payment SDK). Users must ensure wallet keys/signing are handled securely — the skill does not request keys itself, but the flow requires them.
Persistence & Privilege
always is false and there is no install-time behavior or claims to persist or modify other skills or system settings. The skill does not request elevated agent privileges.
Assessment
This skill is coherent for a paid answers API, but before installing or using it you should: 1) verify the reputations of https://www.cpbox.io and https://www.cppay.finance and confirm they are the intended providers; 2) inspect the @springmint/x402-payment package (if you plan to npx it) — prefer installing verified packages rather than running one-off npx commands; 3) never paste private keys/seed phrases into prompts or into ad-hoc signing helpers — use a dedicated signing wallet or hardware wallet and limit its exposure; 4) test with non-sensitive sample prompts to confirm behavior and evidence (headers, which data is sent) before sending sensitive data; 5) ask the publisher for a source repository, privacy policy, and terms of service (these are missing from the skill metadata) — having a homepage or source repo would raise confidence. Additional info that would increase confidence: an official homepage/repo, published npm package with known maintainer, and privacy/security documentation describing how user data and payments are handled.

Like a lobster shell, security has layers — review code before you run it.

latestvk971eppm8ctsv2k02q3nawtdns838kry

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments