ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

cpbox-local-descriptions

v1.0.0

USE FOR getting AI-generated POI text descriptions. Requires POI IDs obtained from web-search (with result_filter=locations). Returns markdown descriptions g...

2· 66·0 current·0 all-time
byspringmint@sprintmint
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description (AI-generated POI descriptions using POI IDs from a web-search) align with the runtime instructions: the SKILL.md documents calling a cpbox.io endpoint with POI IDs obtained from web-search (result_filter=locations). The listed service domains (cpbox.io, cppay.finance) are consistent with the described provider/facilitator roles.
Instruction Scope
Instructions are scoped to calling the cpbox.io API and obtaining POI IDs from a prior web-search step. However, the skill requires an external payment flow (x402) and refers to a README for setup; it tells the agent to use an external payment SDK which may execute network calls and prompt for signing. The instructions do not ask the agent to read local files or secrets, but they do direct execution of external tooling (npx) and network requests to third-party domains.
Install Mechanism
Instruction-only skill with no install spec and no code files. No packages are installed by the skill itself; risk comes from following the provided commands (e.g., using npx to run an external package) rather than from an installer embedded in the skill.
!
Credentials
The SKILL.md requires a payment setup (x402-payment) and recommends npx/@springmint/x402-payment or a go SDK, but the skill metadata declares no required environment variables or credentials. This is an inconsistency: the payment SDK or signing step will likely require keys, wallets, or other secrets which are not documented in the skill manifest, so it's unclear what sensitive data will be needed or transmitted to the facilitator (cppay.finance).
Persistence & Privilege
Skill is not always-enabled and does not request persistent or elevated platform privileges. It is user-invocable and does not declare modifying other skills or system-wide settings.
What to consider before installing
This skill appears to do what it says (generate AI descriptions for POIs) but relies on an external pay-per-use flow and an npm SDK that the skill does not declare credentials for. Before installing or running: 1) Inspect the payment flow and SDK (@springmint/x402-payment) separately — npx will fetch and execute code from npm, so review the package and its source first. 2) Verify what credentials or signing keys the x402 payment flow requires and which domain will receive them (cppay.finance/cpbox.io). 3) Confirm privacy and billing terms for cpbox.io and cppay.finance and whether any sensitive data (e.g., API keys, wallet keys) will be transmitted or stored. 4) If you must use the SDK, prefer installing and reviewing it locally (not blindly running npx), and only grant minimal, purpose-limited credentials. If you want higher assurance, request the skill author to declare required env vars and provide a clear README describing the exact credential and key handling.

Like a lobster shell, security has layers — review code before you run it.

latestvk972d5g776j0dakewvj1c09681838w88

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments