Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ace Competitions
v1.0.0Ace competitions agent workflow - search, enter, track competitions. Uses browser automation for form filling, email verification, and competition entry. Int...
⭐ 0· 47·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The description promises end-to-end competition discovery and entry automation, but the SKILL.md assumes the presence of local scripts (agents/ace/scripts/*), a competitions_dashboard module, and a preconfigured workspace under /root/.openclaw/workspace. The skill bundle contains no code, no declared dependencies, and no environment variables — so it cannot actually perform the claimed tasks as distributed. It also references a phone number for verification codes and an email address, resources that the skill does not explain how to access or secure.
Instruction Scope
Runtime instructions direct the agent to execute local Python scripts, configure cron jobs, read/write a local SQLite DB and JSON files, drive browser automation (capture screenshots), monitor an inbox for verification emails, and interact with an externally-addressable dashboard at http://161.97.110.234:3001. Those actions involve file I/O, persistent scheduling, network access, and handling of verification codes — none of which are declared or scoped in the skill metadata. The instructions also include a real phone number labeled as 'Stef's' for SMS verification, but no mechanism for SMS retrieval is described.
Install Mechanism
There is no install spec (instruction-only), which minimizes installer risk, but this also means the skill assumes pre-existing code and environment on the host. That reliance on undeclared local artifacts is an operational mismatch: the skill will fail or cause the agent to search for/execute missing files unless those files are manually installed by the user.
Credentials
The instructions require access to an email inbox and (implicitly) SMS verification capability, a SQLite DB path under /root/.openclaw/workspace, and the ability to set cron entries and make outbound network connections. Yet the registry metadata lists no required environment variables, no credentials, and no config paths. Required secrets (mailbox credentials, any API keys for browser automation or external services) are not declared, which is disproportionate and opaque.
Persistence & Privilege
While always:false, the skill explicitly instructs configuring cron jobs to run recurring tasks and to publish a dashboard reachable at a public IP. That creates persistent behavior and a long-lived attack surface (scheduled scripts, stored DB, exposed JSON/API). The skill does not describe who controls the dashboard host or how data access is secured.
What to consider before installing
Do not install or enable this skill until the author provides the missing pieces and clarifications. Specifically: 1) Ask for the actual code/scripts referenced (agents/ace/... , competitions_dashboard, email_manager.py) or confirm they will not be executed automatically. 2) Require an explicit list of environment variables/credentials needed (email/IMAP/SMTP creds, any API keys) and why each is needed. 3) Clarify how SMS verification is handled (who owns the listed phone number, how codes are retrieved) — avoid giving the agent access to someone else's phone. 4) Confirm the dashboard host (161.97.110.234) ownership and access controls; do not expose sensitive data to an unknown public IP. 5) If you must test, run in an isolated environment (throwaway VM/container) and do not grant real inbox/production credentials. The current packaging is inconsistent: it claims to automate actions but bundles no executable code or declared credentials, so installing it as-is risks silent failures and unintended persistence.Like a lobster shell, security has layers — review code before you run it.
latestvk974jtx29f7acb27htv9zn73vd84jzph
License
MIT-0
Free to use, modify, and redistribute. No attribution required.