ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

UnifAI

v1.0.4

A CLI for searching and invoking services on the UnifAI network. Supports 40+ services across DeFi, token data, social media, web search, news, travel, sport...

0· 411·0 current·0 all-time
byYilun Zhang@yilunzhang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (UnifAI CLI for discovering/invoking services) match the declared binary (unifai), required API key (UNIFAI_AGENT_API_KEY), and optional signing keys/RPCs. The npm package install (unifai-sdk) is a reasonable way to provide the CLI binary.
Instruction Scope
SKILL.md instructs the agent to search then invoke via the unifai CLI and documents when signing is needed. It does not instruct the agent to read unrelated system files or exfiltrate data. It explicitly uses environment variables for keys and RPCs and warns to always inspect payload schemas before invoking.
Install Mechanism
Install uses the npm package 'unifai-sdk' to create the 'unifai' binary. This is an expected mechanism for a Node.js CLI, but npm packages are third‑party code—verify the package's authorship and audit the package if you don't trust the publisher. Using 'npx' avoids a global install.
Credentials
Only UNIFAI_AGENT_API_KEY is required which fits the described network API usage. The optional environment variables (SOLANA_PRIVATE_KEY, EVM_PRIVATE_KEY, RPC URLs) are justified for local transaction signing and RPC overrides, but they are highly sensitive — supplying private keys grants the CLI (and any agent that can invoke it) the ability to sign and submit on‑chain transactions.
Persistence & Privilege
always:false and no required config paths or system modifications are requested. The skill does not request permanent/system‑wide privileges. Autonomous invocation is allowed by default, which is normal; the skill does not elevate privileges beyond its own CLI usage.
Assessment
This skill appears to do what it says: a CLI that finds and invokes network services, optionally signing blockchain transactions. Before installing: (1) verify the npm package and GitHub repository ownership/reputation; prefer npx if you don't want a global install; (2) do NOT put your private keys (SOLANA_PRIVATE_KEY, EVM_PRIVATE_KEY) in environment variables unless you trust the package and understand the risk — any process that can invoke the CLI (including autonomous agents) could sign transactions with those keys; (3) restrict RPC URLs to trusted providers and consider rate limits; (4) test with non‑funded keys or a testnet first. If you need higher assurance, review the unifai-sdk source code on GitHub and inspect the package before running it.

Like a lobster shell, security has layers — review code before you run it.

latestvk973gqn47mha5ydw6etqhhe0a982n2fd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🤖 Clawdis
Binsunifai
EnvUNIFAI_AGENT_API_KEY

Install

Install unifai-sdk (node)
Bins: unifai
npm i -g unifai-sdk

Comments