ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ConsortiumAI Create Account

v1.0.0

Create a custodial wallet account on Consortium AI.

0· 864·0 current·0 all-time
byWeb Crafter 🕸️@webcraft3r
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, description, SKILL.md, and the bundled script all align: they call https://api.consortiumai.org to create a custodial wallet using an API key. However, the registry metadata lists no required environment variables while SKILL.md and the script require TRADING_ANALYSIS_API_KEY — an inconsistency that should be resolved. Also the env var name (TRADING_ANALYSIS_API_KEY) is oddly named for a custodial-wallet API key, which could indicate mislabeling or reuse of a key intended for a different product.
Instruction Scope
The runtime instructions and bundled script are scoped narrowly: they only require an API key and a wallet address, then POST that address to the documented API endpoint. The instructions do not ask the agent to read other files, system paths, or unrelated environment variables.
Install Mechanism
This is an instruction-only skill with a small included script and no install spec. Nothing is downloaded or installed at runtime beyond running the provided Node script. That minimizes install-time risk.
!
Credentials
The skill requires a single API key (TRADING_ANALYSIS_API_KEY) which is reasonable for the described API, but: (1) the registry metadata omitted this required env var, (2) the key name is unexpected for a custodial-wallet API and could lead users to mistakenly supply the wrong credential, and (3) creating custodial wallets is a sensitive operation — using a high-privilege or shared API key here would be risky. The skill does not request additional unrelated credentials, which is good.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system configuration, and does not install persistent agents. It runs only when invoked, so persistence/privilege concerns are low.
What to consider before installing
This skill appears to implement what it claims (it posts a walletAddress to https://api.consortiumai.org using an API key). Before installing or using it: (1) verify the API key provenance — only set a key you obtained directly from Consortium AI and do not reuse high-privilege keys from other services; (2) confirm the correct environment variable name with the skill publisher (metadata omitted the required env var and the provided name TRADING_ANALYSIS_API_KEY looks mismatched), (3) verify the Consortium AI domain and contact info (the SKILL.md points to an X account) to ensure the service is legitimate, (4) review the small script yourself or run it in an isolated environment since it will transmit the wallet address and API key to a remote endpoint, and (5) if you rely on this for production funds or sensitive accounts, request stronger assurances (publisher identity, TLS certs, official docs) before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk970dnqr8eadgwtn1bb4tc1wpx80zrj2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments