ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

cpbox-local-pois

v1.0.0

USE FOR getting local business/POI details. Requires POI IDs obtained from web-search (with result_filter=locations). Returns full business information inclu...

0· 96·0 current·0 all-time
byspringmint@sprintmint
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (local POI details) match the SKILL.md: it documents a GET to cpbox.io to return business details and requires POI IDs from a prior web-search. No unrelated credentials or binaries are requested.
Instruction Scope
Instructions are limited to calling the cpbox API and following the x402 payment flow. They explicitly reference obtaining POI IDs from a separate web-search skill and optionally sending user location via X-Loc-Lat/Long headers. The instructions do instruct network calls to external domains (cpbox.io and cppay.finance) and to sign payment requests; they do not ask the agent to read local files or unrelated env vars.
Install Mechanism
The skill is instruction-only (no install spec) which minimizes on-disk changes. However, the docs recommend using npx @springmint/x402-payment or x402-sdk-go to automate payment — npx will dynamically fetch code from npm at runtime, which is a potential supply-chain/runtime risk if you don't trust the package or registry.
Credentials
The manifest requests no environment variables or credentials. That said, the x402 payment flow will require you to sign payment requests using a wallet/key on your machine; the SKILL.md claims keys 'stay on your machine' (no storage here). This is proportionate to a paid API but you must ensure private keys/wallets are handled locally and not exfiltrated.
Persistence & Privilege
always is false, the skill is user-invocable and instruction-only with no code or install that would persist or modify other skills or agent config. It does not request elevated persistence or system-wide config changes.
Assessment
This skill is an instructions-only connector for a paid CPBOX local-POI API and appears internally consistent. Before installing or using it, verify you trust the external domains (https://www.cpbox.io and https://www.cppay.finance) and the referenced payment SDK (@springmint/x402-payment) because the flow requires signing a payment. Be aware that sending X-Loc-Lat/X-Loc-Long will transmit user location to the provider, and using npx will download and run code from npm at runtime. Do not expose private keys; use a wallet that keeps keys local and inspect the payment SDK/docs and the GitHub prerequisites link before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk973ymmfg1c2wavr6ky00vmh2x838yrs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments