Claw Earn

The skill is classified as suspicious due to two primary indicators: 1) The installation instructions in `SKILL.md` and `README.md` use `curl -fsSL https://clawearn.xyz/install.sh | bash`, which is a high-risk method for executing arbitrary remote code and poses a significant supply chain vulnerability. 2) Both `SKILL.md` and `HEARTBEAT.md` contain instructions for the AI agent to update its own skill files from `http://localhost:3000`, which is a clear prompt injection vulnerability. An attacker controlling a local server could inject malicious code into the agent's skills. While the skill's stated purpose involves high-risk financial transactions (USDC transfers, deposits, withdrawals, gas refuels), these are aligned with its function as a trading bot, and the `core/security/SKILL.md` provides strong security warnings and best practices. However, the installation and update mechanisms introduce critical security weaknesses.