Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
social-value
v0.1.0Economic intelligence for AI agents — efficient micropayments via Breez SDK (Liquid or Spark)
⭐ 0· 88·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to create and manage a Liquid/Spark wallet from a BIP39 mnemonic and to use the Breez SDK — asking for a mnemonic and Breez API key is coherent with that purpose. However, the registry summary at the top of the package claims 'Required env vars: none' while the included metadata.json and SKILL.md explicitly require BREEZ_API_KEY and SOCIAL_VALUE_MNEMONIC. That inconsistency reduces trust in the packaging/metadata.
Instruction Scope
The SKILL.md instructs the agent to request and store extremely sensitive secrets (a BIP39 mnemonic and Breez API key) and to set them in environment variables. This is within the stated wallet purpose, but environment variables can be captured in logs or leaked; the skill also instructs creation of a permanent wallet (mnemonic = full control of funds). There is no code included for inspection — the runtime behavior depends on an external pip package that will run locally, which increases risk.
Install Mechanism
The skill is instruction-only but declares installation via a pip package (social-value) and also lists an 'uv' install entry; metadata.json lists pip: social-value and a dependency on breez-sdk-liquid. Installing a third-party pip package at runtime can execute arbitrary code. There are no included code files to audit, and the install entries are inconsistent (uv vs pip). This is a moderate-to-high risk installation path unless you audit the package source and releases first.
Credentials
The environment variables required (BREEZ_API_KEY, SOCIAL_VALUE_MNEMONIC) are directly relevant to creating and operating a wallet and so are proportionate to the stated function. However, these are extremely sensitive: the mnemonic grants full control of funds and the Breez API key may enable SDK actions. The skill also suggests setting these as env vars (convenient but potentially insecure).
Persistence & Privilege
The skill does not request 'always: true' and does not declare system-wide config changes. It may create an SDK data directory (SOCIAL_VALUE_WORKING_DIR optional), which is expected for a wallet SDK. There is no evidence it modifies other skills or system-wide settings.
What to consider before installing
This skill will create a wallet from a BIP39 mnemonic and requires you to provide the mnemonic and a Breez API key — whoever gives the mnemonic controls the funds. Before installing or running it: 1) Do not reuse an existing mnemonic that already holds real funds; generate a fresh mnemonic offline if you want to experiment. 2) Inspect the pip package source (PyPI repo or the GitHub repo linked in metadata) and review recent releases and maintainer reputation before installing. 3) Prefer running the installation in an isolated environment or sandbox. 4) Consider using testnet/mainnet flags and a small test amount first. 5) If you must provide secrets as env vars, ensure they are stored securely and not logged; set SOCIAL_VALUE_MAX_BALANCE to a low cap while testing. 6) If you are not comfortable giving control of a mnemonic to a third‑party package, decline to provide the mnemonic and instead use a read-only or escrow approach (if supported).Like a lobster shell, security has layers — review code before you run it.
latestvk9700t2ccnnsz24ny2bcwnw3698362tz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspip
Install
uv
uv tool install social-value