Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
cpbox-batch-balance
v1.0.0Guide users on how to use the Batch EVM Address Balance Query API (/api/x402/batch-balance). Use when users ask about batch balance queries, multicall balanc...
⭐ 2· 93·0 current·0 all-time
byspringmint@sprintmint
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description describe a batch EVM balance API and the SKILL.md provides endpoints, request/response formats, and examples that align with that purpose. The declared dependency (@springmint/x402-payment) is relevant to the x402 payment flow described.
Instruction Scope
Runtime instructions include examples that require signing payments (EIP-712) and show embedding a private key string (YOUR_PRIVATE_KEY_HEX) in code. The skill also references a relative README path (../README.md#prerequisites) which may not exist in the runtime environment. The instructions tell the agent/user to contact external endpoints (https://www.cpbox.io and https://www.cppay.finance) — expected for this API but worth noting because signing will interact with external pay endpoints.
Install Mechanism
There is no install spec in the registry (instruction-only), but the SKILL.md uses npx @springmint/x402-payment and links to GitHub for SDKs. That implies the agent or user will fetch and execute third‑party packages at runtime (npm or go modules). Fetching packages on demand is a moderate risk if the package or its dependencies are untrusted; the absence of an explicit install spec or pinned release reduces traceability.
Credentials
The skill does not declare required environment variables, yet examples require a private key (signer.NewEvmClientSigner("YOUR_PRIVATE_KEY_HEX")). Asking users/agents to provide raw private keys or to sign payments is high sensitivity. The skill should explicitly declare what credentials are needed and how to supply them safely (e.g., hardware wallet or signing server).
Persistence & Privilege
The skill is not always-enabled and does not request system-level persistence or modify other skills. Autonomous invocation is allowed by default but not combined with other elevated privileges here.
What to consider before installing
This skill appears to document a legitimate paid batch-balance API, but be cautious before using it. Key points to consider:
- Do not paste or store your main private keys directly into examples or into an agent; prefer a hardware wallet, ephemeral signing key, or a signing service with minimal funds/permissions.
- The SKILL.md expects you to run third‑party packages (npx @springmint/x402-payment or go SDK). Verify the package authors, check the package version, and review the code or use a pinned release before running npx or installing dependencies.
- Confirm the API domains (https://www.cpbox.io and https://www.cppay.finance) are the real services you expect and review their docs/privacy/payout behavior.
- The skill does not declare required secrets or a safe method for signing; ask the skill author to explicitly list required credentials, recommended secure signing options, and an install spec (pinned package versions) before using in production.
If you only need read-only balances and want to avoid payment/signing complexity, ask the provider if a free tier or alternative endpoint exists that doesn’t require on‑chain payment signatures.Like a lobster shell, security has layers — review code before you run it.
latestvk970gbsk5mj16dr61fayr86a1d838e53
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💰 Clawdis