ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SUPAH Research Intelligence

v1.3.0

Professional-grade web research with multi-source verification and credibility scoring. Cross-references multiple sources, scores reliability, and delivers v...

0· 73·1 current·1 all-time
by@supah-based
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the implementation: the code and SKILL.md call api.supah.ai to perform multi-source research, credibility scoring, verification, and report generation. However, SKILL.md/metadata embed an x402 micropayment configuration (currency, maxPerCall, payTo address) as part of the runtime metadata — this is functionally part of the skill (it expects on-chain micropayments to be made automatically by the agent runtime) and is not explicitly called out in the short description. Also the declared required binaries include 'curl' even though the provided node script uses built-in http/https only.
Instruction Scope
Runtime instructions and the index.js are narrowly scoped to contacting the SUPAH API endpoints and printing results; they do not read other local files or unexpected environment variables. The instructions do, however, include a payment expectation (x402 automatic micropayments) which causes network activity beyond pure data retrieval (economic action).
Install Mechanism
No external download/extract/install step is present in the registry metadata (instruction-only install). The package includes a local script (index.js) and a package.json; nothing is fetched from arbitrary URLs at install time. README suggests typical install paths (openclaw CLI, git, npm link).
!
Credentials
Registry/metadata declare SUPAH_API_BASE as a required env var, but the code defaults to 'https://api.supah.ai' if the variable is not set — mismatch between 'required' and actual code behavior. No API keys or secrets are requested (good), but the embedded x402 payment metadata and 'payTo' on-chain address means the skill expects the agent/platform to perform micropayments; that is a material financial permission that is not obvious from the single-line description. Also 'curl' is listed as required but not used by the provided code.
Persistence & Privilege
always is false and the skill does not request persistent system privileges or attempt to modify other skills or system-wide config. The agent will be able to invoke the skill autonomously (default behavior), which combined with the payment metadata increases the blast radius for unexpected charges — but autonomous invocation itself is platform-default and not a standalone flag.
What to consider before installing
What to check before installing: - Payment risk: SKILL.md metadata includes an x402 micropayment configuration and a 'payTo' Base address. Confirm how your OpenClaw agent/runtime handles x402 payments and whether it will automatically send USDC to that address for each call. This can incur real on-chain costs. - SUPAH_API_BASE mismatch: the registry marks SUPAH_API_BASE as required but the code falls back to https://api.supah.ai if it's not set. Decide whether you need to override the endpoint or whether leaving it unset is acceptable. - 'curl' requirement: the package lists 'curl' as required although the Node script uses node's http/https. This is an unnecessary dependency declaration; it’s a minor inconsistency but harmless. - Trust and provenance: the source/homepage are 'unknown' in the registry metadata. The code targets api.supah.ai and README points to github/supah-based; verify the upstream repository, confirm the team/org, and review their docs for x402 payment behavior before giving network/payment permissions. - Test in sandbox: run the skill in a sandboxed agent or with network blocked (or with a test SUPAH_API_BASE) to observe behavior and avoid accidental charges. - If you don’t want automatic micropayments, block or restrict outbound network to api.supah.ai or ensure your runtime’s x402 wallet is disabled/empty. Given the payment-related behavior and the metadata/code mismatches, proceed only after confirming how your OpenClaw runtime handles x402 micropayments and after validating the vendor's trustworthiness.

Like a lobster shell, security has layers — review code before you run it.

latestvk97255efvfe5s3qqeq7y02169h83capr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📰 Clawdis
Binscurl, node
EnvSUPAH_API_BASE

Comments