ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

cpbox-images-search

v1.0.0

USE FOR image search. Returns images with title, source URL, thumbnail. Supports SafeSearch filter. Up to 200 results.

2· 101·0 current·0 all-time
byspringmint@sprintmint
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description (image search, thumbnails, safesearch, up to 200 results) match the SKILL.md, which documents a dedicated images-search API on https://www.cpbox.io and output schema appropriate for image search.
!
Instruction Scope
The instructions direct the agent to call an external API (cpbox.io) that uses a payment protocol (x402) and refer to installing/using payment tooling (npx @springmint/x402-payment or x402-sdk-go). The SKILL.md also references prerequisite setup steps in a README at a relative path (../../README.md) that isn't included in the package. While calling an external paid API is consistent with the purpose, the payment flow and SDK usage broaden the runtime behavior beyond simple read-only image search and require trusting third-party tooling and networks.
Install Mechanism
This is instruction-only (no install spec, no code files). However, SKILL.md recommends invoking an npm package via npx or a Go SDK; that will pull and execute third-party code at runtime if used. The manifest does not ship or pin those packages.
!
Credentials
The manifest lists no required environment variables or credentials, but the SKILL.md explicitly requires completing x402-payment setup and signing requests (PAYMENT-SIGNATURE). That implies secret keys or payment credentials will be provided somewhere — the skill manifest does not declare or justify those secrets, creating a transparency gap about what credentials an agent or user must supply.
Persistence & Privilege
The skill does not request always: true, does not declare installs that write system-wide config, and is user-invocable only. It does allow normal autonomous invocation (platform default).
What to consider before installing
This skill appears to be a straightforward image-search proxy that charges per request. Before installing: (1) confirm how you will provide payment credentials and where they are stored — the manifest does not declare them, so check the README/setup referenced in SKILL.md; (2) review the reputations and privacy policies of https://www.cpbox.io and https://www.cppay.finance and the payment SDK (e.g., @springmint/x402-payment) since running npx will fetch third-party code at runtime; (3) avoid entering high-privilege keys until you verify the exact secrets required and how they are used; (4) test with minimal queries and monitor network/billing activity; and (5) if you need stronger assurances, request the README and any setup scripts from the skill author or prefer a skill that declares its required credentials explicitly in the manifest.

Like a lobster shell, security has layers — review code before you run it.

latestvk979631wngts2zwx4qxntgj5jh838v9x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments