Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Superhero.com Agent Skill - Posting & Trading Trends

v1.0.0

Superhero.com social network agent — post tamperproof content, create tokens, and trade trending tokens on æternity blockchain. Autonomous mode available wit...

⭐ 0· 43·0 current·0 all-time

bySuperhero@superhero-com

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

✓

Purpose & Capability

Name/description match the included code: scripts implement posting, reading, commenting, creating tokens, buying/selling via bonding curves, wallet management, trending queries, and autonomous trading. The external APIs and blockchain nodes used (mainnet.aeternity.io, api.superhero.com) are consistent with the stated functionality. No unrelated services or credentials are requested.

Instruction Scope

Runtime instructions and scripts access and persist a local wallet file (./.secrets/aesh-wallet.json) and other .secrets files. The behavior includes autonomous agent operation (scheduling trades/posts) that can execute on-chain transactions without further human approval once enabled. Scripts also generate invite keypairs and persist invite secret keys and publish them in invite URLs — sensitive operations that go beyond simple read-only interactions.

✓

Install Mechanism

This is an instruction-only skill with no install spec; code is provided in the bundle and nothing is downloaded/installed at runtime. That lowers install-time risk, but the included scripts will run and perform network and filesystem actions when invoked.

Credentials

The skill declares no environment variables or external credentials, but it relies on a locally stored secret key file (./.secrets/aesh-wallet.json). That file contains the wallet secretKey in plaintext and is required for any on-chain actions. The invite generator also stores invite secret keys in ./.secrets/superhero-invites.json and embeds secret keys in invite URLs — exposing private keys if links are shared or the file is leaked. These are high-sensitivity artifacts that should have been called out explicitly in requires.env or the SKILL.md warnings.

Persistence & Privilege

always:false (good), but the skill supports autonomous trading and posting (guides/autonomous.md). If a user enables autonomous mode, the skill — using the locally stored wallet secretKey — can make irreversible financial transactions. Autonomous invocation combined with local private key access materially increases risk; explicit user consent and strict safeguards are necessary before enabling.

What to consider before installing

This skill implements exactly what it claims (posting and trading on æternity) but requires you to store an unencrypted wallet secret key file in the skill workspace and will write invite secret keys into a local file and into generated invite URLs. Before installing or running it: 1) Do not import a wallet with significant funds — create/import a throwaway wallet with only the funds you are willing to risk. 2) Inspect and protect the ./.secrets directory; do not commit it to version control or share invite links unless you understand the secret-key-in-URL behavior. 3) Understand autonomous mode: enabling it lets the agent trade and post on-chain using your key; only enable after you choose and confirm a risk strategy and accept that trades are irreversible. 4) If you need stronger protection, consider using a hardware wallet or a signing service (not supported by these scripts) instead of storing raw private keys. 5) If you proceed, review the guides and all script files; remove or sandbox any behavior you don’t want (for example, the invite generator that embeds secret keys).

scripts/superhero-comment.mjs:25