ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

BitNow

v1.1.1

End-to-end OpenBytes network API workflows for AI agents. Covers wallet signature-based authentication, on-chain top-up monitoring, consumer API key lifecycl...

0· 88·0 current·0 all-time
byJerry@viyozc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes wallet-based auth, API-key lifecycle, on-chain top-ups, and model calls — which aligns with the skill name/description. There are no unrelated binaries or requests for unrelated cloud credentials. Minor issues: no homepage/source provided (provenance unknown), and a small apparent chain-id typo in one snippet (84532 vs 8453) which suggests sloppiness.
!
Instruction Scope
The runtime instructions tell users to create wallets (ethers.js/viem) and explicitly print private keys to console (with a 'Be sure to securely save' admonition). That is sensitive and risky behavior to encourage; it is within the skill purpose but increases the chance of user error. The instructions also reference using environment variables (OPENBYTES_API_KEY, session tokens) even though the registry metadata declared no required env vars — a mismatch between declared surface and actual runtime expectations.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes install-time risk because nothing will be written/executed by the installer itself.
!
Credentials
Registry metadata lists no required env vars or primary credential, but SKILL.md repeatedly instructs saving and exporting OPENBYTES_API_KEY and using session tokens; this discrepancy is notable. The skill also requires generation and handling of private keys (sensitive secrets) — justified by purpose but high-risk and not represented in declared environment/credential metadata.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It does not attempt to modify other skills or claim persistent elevated privileges.
Scan Findings in Context
[empty_scan] expected: The regex-based scanner found nothing because this is an instruction-only skill with no code files. That absence is expected but means the scanner provides no additional assurance.
What to consider before installing
This skill appears to do what it says (OpenBytes API workflows) but exercise caution before installing. Key points: (1) provenance is unknown — there is no homepage or source to verify the API surface or owner; (2) the instructions encourage generating private keys and printing them to the console — avoid copying/printing private keys in plaintext or pasting them into UIs or chat; prefer hardware wallets or secure, offline key generation and storage; (3) SKILL.md references environment variables (OPENBYTES_API_KEY, session tokens) even though the registry metadata declares none — expect to manage secrets yourself and verify the exact env names and lifetime; (4) double-check gateway URL, contract addresses, and chain-id values against official OpenBytes documentation before making on-chain transfers; (5) test any flows in a low-risk environment (testnet or with minimal funds) and do not share API keys or private keys. If you need higher assurance, request the skill source or an official publisher/homepage, or use official SDKs/docs from OpenBytes instead of following unverified instructions.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aqts01vdpgsf7kn14ybk4w183grsr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments