ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Monero Wallet

v1.0.12

Official KYC-rip Monero Agent Skill. Manage XMR wallets on Mainnet/Stagenet via Ripley Gateway.

0· 454·0 current·0 all-time
by@xbtoshi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (manage XMR via Ripley Gateway) match the declared requirements: python3, curl, AGENT_API_KEY, and a local gateway. The single included script and curl examples are appropriate for that purpose.
Instruction Scope
SKILL.md instructs the agent to talk only to a local Ripley Gateway (127.0.0.1:38084) or use the included Python helper. The instructions focus on balance, addresses, transfers, and XMR402 payment flows; they do not instruct reading unrelated files or exfiltrating arbitrary data. Note: the skill directs the agent to perform on-chain payments (pay-402), which is within scope but implies financial consequences.
Install Mechanism
No install spec (instruction-only) and a small helper script included. No downloads from remote URLs or archive extraction. Declared pip dependency (requests) is reasonable for the helper script.
Credentials
Only AGENT_API_KEY is required and is used as the gateway authentication key; that is proportional to the skill's function. The helper script reads only that env var (or an explicit --api-key). No other secrets or unrelated env vars are requested.
Persistence & Privilege
Skill is not forced to always-load and uses normal autonomous invocation. It does not request system-wide config changes, nor access to other skills' credentials or config paths.
Assessment
This skill is internally coherent: it expects you to run a local Ripley Gateway and to supply a gateway API key (AGENT_API_KEY). Before installing, verify you trust the skill source and the Ripley Docker images (kyc.rip / GitHub repo), because running a local gateway image gives that code access to your node/wallet. Only set AGENT_API_KEY if the gateway is genuinely under your control (127.0.0.1 is enforced by the helper script). Be aware that using pay-402 will spend real XMR — double-check nonce/address/amounts and transaction logs to avoid duplicate payments. If you need higher assurance, review the GitHub repo and Docker image manifests and run the gateway in an isolated environment first.

Like a lobster shell, security has layers — review code before you run it.

agent-skillvk97c35kchyr3mj6w0960mga2g98329jnkyc-ripvk97c35kchyr3mj6w0960mga2g98329jnlatestvk97c35kchyr3mj6w0960mga2g98329jnm2mvk97c35kchyr3mj6w0960mga2g98329jnmicropaymentsvk97c35kchyr3mj6w0960mga2g98329jnmonerovk97c35kchyr3mj6w0960mga2g98329jnprivacyvk97c35kchyr3mj6w0960mga2g98329jnwalletvk97c35kchyr3mj6w0960mga2g98329jnx402vk97c35kchyr3mj6w0960mga2g98329jnxmrvk97c35kchyr3mj6w0960mga2g98329jnxmr402vk97c35kchyr3mj6w0960mga2g98329jn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💰 Clawdis
Binspython3, curl
EnvAGENT_API_KEY
Primary envAGENT_API_KEY

Comments