ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Echo Developer Guide

v1.0.0

Build apps on AINative and earn revenue through the Echo Developer Program. Use when (1) Registering as a developer, (2) Setting markup rates (0-40%), (3) Ch...

0· 50·1 current·1 all-time
byToby Morning@urbantech
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Echo Developer Program: register, set markup, check earnings, Stripe Connect payouts) aligns with the API endpoints and examples in SKILL.md. Nothing in the doc asks for unrelated resources or permissions.
Instruction Scope
Runtime instructions show concrete API calls to https://api.ainative.studio and Stripe Connect onboarding flows, which stay within the stated domain. However, all example requests use an Authorization: Bearer {jwt_token} header but the skill does not declare or explain where that token comes from or how it should be supplied/stored.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest-risk delivery. It does not download or write code to disk.
Credentials
The SKILL.md expects an authenticated context (jwt_token) for API calls but the registry metadata lists no required environment variables or primary credential. This is an inconsistency: the skill needs an auth token to function but does not declare it. No unrelated credentials or broad secrets are requested.
Persistence & Privilege
always is false and there is no install or configuration that requests persistent system presence or modifies other skills. Autonomous invocation is allowed (platform default) but not combined with additional privileges.
What to consider before installing
This skill appears to be a straightforward developer guide for AINative's Echo program, but before installing or using it: (1) confirm the authenticity of the domain https://api.ainative.studio and that you trust the provider; (2) understand that you must supply a jwt_token (an authorization bearer token) for the example API calls — the skill fails to declare where that credential should come from or how to store it safely; (3) verify Stripe onboarding links at runtime (ensure they redirect to Stripe and not a phishing page); (4) ask the skill author to explicitly declare required environment variables/credential type and to document expected OAuth or JWT flows; (5) avoid pasting long-lived secrets into untrusted UIs — prefer short-lived tokens or follow documented OAuth flows. If you need higher assurance, request the skill author provide provenance (homepage, contact, or repository) and an explicit credential/installation section.

Like a lobster shell, security has layers — review code before you run it.

latestvk970y40vse09vn982vvjbfe1dd83haj1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments