DeBox Community
ReviewAudited by ClawScan on May 10, 2026.
Overview
The DeBox functions are mostly coherent, but the skill ships a non-example config file containing an API-key-shaped value while its metadata says no credential is required.
Before installing, delete or replace the bundled config.json and use your own DeBox API key. Expect wallet addresses, user IDs, and group IDs you query to be sent to the DeBox API. Review the npm dependencies before running npm install, and only use batch verification with a wallet-list file you intentionally created.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your DeBox queries may be authenticated under someone else's embedded API key, and the bundled key itself is exposed to anyone who installs the skill.
A non-example runtime config file ships with an API-key-shaped value. Because the CLI loads config.json for authentication, users could make DeBox API requests using a bundled credential rather than a user-provided one.
"apiKey": "z75mrVAEC3JAhdB4"
Remove the shipped config.json, ship only config.example.json, declare the DeBox API key requirement in metadata, and require users to provide their own key via environment variable or a locally created config file.
If pointed at the wrong file, the tool could send unintended lines of local file content to the DeBox API as wallet identifiers.
The batch verification command reads a user-specified local file and processes each line as a wallet for verification. This is aligned with whitelist verification, but the file choice controls what data is sent for API checks.
const wallets = fs.readFileSync(file, 'utf8')
.split('\n')
.map(w => w.trim())Use a dedicated wallet-list file for batch verification and avoid giving the command arbitrary or sensitive file paths.
Installing the skill may require downloading and installing Node packages despite the registry showing no install requirements.
The tutorial requires npm dependency installation even though the registry install specification says this is an instruction-only skill. The dependencies appear purpose-aligned for image generation, but the setup is not fully reflected in metadata.
cd ~/.openclaw/workspace/debox-community npm install
Review package.json and package-lock.json before installing, and have the maintainer add accurate install requirements and dependency information to the registry metadata.