ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aster Spot

v0.1.1

Aster Spot request using the Aster API. Authentication requires API key and secret key (HMAC SHA256). Supports mainnet.

0· 316·0 current·0 all-time
bya@yuandiaodiaodiao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Aster Spot) match the SKILL.md and authentication reference: this is a guide for calling Aster spot endpoints. One minor inconsistency: the manifest declares no required environment variables or primary credential, but the documentation clearly requires an API key and secret for authenticated endpoints. This is likely an authoring omission rather than malicious behavior, but users should expect to provide API key/secret at runtime.
Instruction Scope
Instructions are scoped to making HTTP calls to https://sapi.asterdex.com and signing requests with HMAC-SHA256. They recommend using curl, jq, openssl and give examples for bash and Python. The instructions do not ask the agent to read unrelated system files, exfiltrate data to other endpoints, or modify other skills. They do show examples that place API secrets into shell variables for signing — normal for an API client but requires caution by the user.
Install Mechanism
No install spec or code files are included; this is an instruction-only skill. That minimizes disk-write risk and there are no external downloads to evaluate.
Credentials
Authenticated endpoints legitimately require an API key and secret (HMAC signing). The skill does not request unrelated credentials, but the registry metadata did not declare the API key/secret as required environment variables or a primary credential. Users should treat API key/secret as sensitive: supply minimal-permission keys, use IP whitelists if possible, and avoid entering a full-funding key.
Persistence & Privilege
The skill is not always-enabled, has no install, and does not request persistent platform privileges or modify other skills. Autonomous agent invocation is allowed by default (normal) but nothing here amplifies that risk.
Scan Findings in Context
[no-findings] expected: The static scanner found no code to analyze because this is an instruction-only skill. That absence is expected; the SKILL.md and references are the security surface to review.
Assessment
This skill appears to be a straightforward API usage guide for the Aster spot exchange. Before using it, verify the API base URL (https://sapi.asterdex.com) is the official endpoint you intend to use. Never paste your secret API key into public chat or logs; use a dedicated API key with the minimum permissions you need (e.g., read-only if you only query market data). Prefer IP-restricted or test keys for experimentation. Note the manifest did not declare the API key/secret fields — expect to provide them interactively or via whatever secret mechanism your agent platform supplies. If you plan to let the agent act autonomously with this skill, create a low-permission key and monitor account activity (and consider disabling trading/withdraw permissions unless explicitly needed).

Like a lobster shell, security has layers — review code before you run it.

latestvk97eakfbcj4n5kpzx1kwsysssn827036

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments