ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ripley Pocket For Monero

v1.0.1

API client skill for Ripley Pocket — the M2M micro-payment gateway for AI agents. Use this skill whenever you need to: send or receive payments between AI ag...

0· 137·0 current·0 all-time
by@xbtoshi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name, description, and declared environment variables (API_KEY, RIPLEY_URL) match a client for a custodial Monero payments API. No unrelated credentials, binaries, or install steps are requested.
Instruction Scope
SKILL.md contains concrete curl examples and endpoint descriptions limited to registration, balance, payments, swaps, and deposit flows. It does not instruct the agent to read local files or unrelated environment variables. Note: the doc tells the user to 'save the api_key' (it is shown only once), which implies the agent or user will persist a secret — handle storage carefully.
Install Mechanism
Instruction-only skill with no install spec and no code files, so nothing is written to disk or pulled from remote sources by the skill itself.
Credentials
Only a single primary credential (API_KEY) and an optional RIPLEY_URL are declared — this is proportionate for a REST API client that authenticates via X-API-KEY.
Persistence & Privilege
always:false (normal). The skill permits autonomous invocation (disable-model-invocation:false), which is platform-default; because this skill can initiate payments, giving it an API_KEY allows it to act on funds if invoked autonomously. This is expected for a payments client but is an operational risk to consider.
Assessment
This skill appears to be what it says — a REST client for a custodial Monero payments gateway. Before installing: only provide an API_KEY you trust the skill to use (prefer a key scoped for the actions you want, or a test key), test with minimal funds, and monitor activity. Consider restricting autonomous invocation (require explicit user confirmation) if you do not want the agent to make payments automatically. Because the skill's source/homepage is unknown, verify the service operator and that you are comfortable entrusting them with custody of funds before moving real value.

Like a lobster shell, security has layers — review code before you run it.

agent-skillvk971vphq4bhsjbawg8nsbm2m29832dnbkyc-ripvk971vphq4bhsjbawg8nsbm2m29832dnblatestvk971vphq4bhsjbawg8nsbm2m29832dnbm2mvk971vphq4bhsjbawg8nsbm2m29832dnbmicropaymentsvk971vphq4bhsjbawg8nsbm2m29832dnbmonerovk971vphq4bhsjbawg8nsbm2m29832dnbprivacyvk971vphq4bhsjbawg8nsbm2m29832dnbripleyvk971vphq4bhsjbawg8nsbm2m29832dnbwalletvk971vphq4bhsjbawg8nsbm2m29832dnbx402vk971vphq4bhsjbawg8nsbm2m29832dnbxmrvk971vphq4bhsjbawg8nsbm2m29832dnbxmr402vk971vphq4bhsjbawg8nsbm2m29832dnb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Primary envAPI_KEY

Comments