ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

cpbox-spellcheck

v1.0.0

USE FOR spell correction. Returns corrected query if misspelled. Most search endpoints have spellcheck built-in; use this only for pre-search query cleanup o...

0· 92·0 current·0 all-time
byspringmint@sprintmint
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, and runtime instructions all describe a simple spellcheck HTTP API. There are no unexpected credentials, binaries, or config paths requested that don't match the stated purpose.
Instruction Scope
Instructions are scoped to issuing HTTP GETs to https://www.cpbox.io/api/x402/spellcheck and handling the x402 payment flow. They do not ask the agent to read local files or system state. Note: the docs suggest using npx @springmint/x402-payment (which runs code fetched from npm) to automate payment signing — this expands runtime behavior beyond simple HTTP requests.
Install Mechanism
There is no declared install spec (instruction-only), which is low-risk. However the Quick Start suggests using npx to fetch @springmint/x402-payment; npx dynamically downloads and executes a package from the npm registry at runtime, which is a moderate-risk operation if you don't trust that package or registry.
Credentials
The skill declares no required environment variables, credentials, or config paths. That is proportionate for an API proxy that uses a separate payment/signing step handled locally.
Persistence & Privilege
always:false (default) and no instructions to modify agent/system configuration. The skill does not request persistent/system-level privileges.
Assessment
This skill is an instruction-only wrapper for a paid external spellcheck API (https://www.cpbox.io) and is internally consistent with that purpose. Before using it: (1) understand you will be making requests to a third-party service and may incur charges via the x402 payment flow; (2) avoid sending sensitive or PII in queries unless you trust the service and its privacy policy; (3) be cautious about using the suggested npx @springmint/x402-payment command because npx will download and execute code from npm — review that package and its source before running; (4) verify the facilitator and API endpoints are genuine if you need to trust payments. If you need stronger assurance, request the skill author provide the x402 client code or an explicit vetted install spec rather than an ad-hoc npx suggestion.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a11r6ndbv5hs0qwvgry2c61838ahv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments