Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Agent Fuel
v1.0.0Autonomous agent wallet management with MoonPay auto top-up, x402 payments, and OpenWallet Standard. Agents never run out of gas.
⭐ 0· 59·0 current·0 all-time
by@zedit42
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
High-level purpose (auto top-up via MoonPay and x402 payments) aligns with the provided code: both shell and TypeScript components call the 'mp' CLI to check balances, buy tokens, swap and send funds. However there are internal inconsistencies: the registry metadata claims 'no install spec / instruction-only' while package.json and SKILL.md include an npm install instruction for @moonpay/cli. README promises features (whitelist mode, kill switch) that are not implemented in the provided code. These contradictions reduce confidence in the skill's claims.
Instruction Scope
SKILL.md instructs the agent to run the MoonPay CLI and to auto-pay x402 402 responses — the code implements automatic payments to addresses supplied by the payment header. The shell script evaluates a NOTIFY_CMD from config with eval, and the TS code builds shell commands with string interpolation passed to execSync. Both are within the scope of 'manage payments', but they introduce command-execution and injection-sensitive behaviors and the code does not implement an explicit whitelist for payment recipients despite README claiming a whitelist mode. The instructions/config allow storing commands and payment settings under ~/clawd/.secrets which the skill reads and executes behavior from.
Install Mechanism
No remote download URL or suspicious archives are used. The SKILL.md and package.json expect installation of the @moonpay/cli npm package (npm global). npm is a common mechanism and the package is explicit. The discrepancy between 'no install spec' in registry metadata and the embedded npm install instruction is notable but the install mechanism itself (npm) is not unusually risky compared to arbitrary remote downloads.
Credentials
The skill requests no declared environment variables or explicit primary credential, yet requires the user to run 'mp login' (MoonPay credentials will be stored locally) and the code will use that account to initiate fiat->crypto purchases and to send funds. The skill thus gains access to a user-controlled monetary account without declaring or gating that access. Additionally, config values (notify command, wallet name, chain, payTo addresses from x402 headers) are interpolated into shell commands, which is a privilege disproportionate to a simple monitoring script unless the user explicitly trusts the config sources and sets strict spending limits/whitelists.
Persistence & Privilege
The skill does not set always:true and does not appear to alter other skills or global system configs. It offers a daemon mode that periodically runs checks (normal for a monitor). However autonomous invocation combined with the ability to initiate purchases and send funds increases blast radius: if an agent is allowed to call this skill autonomously, it can execute purchases or payments without additional human confirmation unless the operator configures manual approval or strict limits.
What to consider before installing
Plain-language checklist before installing or running this skill:
- What it will do: the skill uses the MoonPay CLI ('mp') and your locally-authenticated MoonPay account to check balances, buy/swap tokens and send funds (including automatically paying x402 payment requests). If configured to run as a daemon, it will do these actions periodically.
- Major red flags to address before use:
- The code can pay arbitrary addresses derived from x402 headers. Make sure you understand and trust the services that will receive payments, or implement a recipient whitelist. The README mentions 'whitelist mode' and a 'kill switch' but the provided code does not enforce either.
- The shell script uses eval on a configurable NOTIFY_CMD. If an attacker or misconfigured file can set that field, arbitrary commands could run. Treat NOTIFY_CMD as unsafe unless you control it and avoid embedding user-supplied content there.
- The TypeScript and shell code build shell command strings (execSync/`mp ...` and eval) using config values. This creates command-injection risks if config or payment headers can be manipulated.
- The skill does not declare the sensitive credentials it will use (MoonPay auth is expected but not declared). The skill will rely on your local 'mp login' state to access funds.
- Mitigations and recommendations:
- Audit the code locally. If you want to use it, run it in a safe environment (test account / low-funding wallet) first.
- Add or require an explicit whitelist of allowed payment recipients and/or require human confirmation for top-ups/payments above a small threshold.
- Replace eval usage: change NOTIFY_CMD handling to a safer invocation (e.g., spawn with args array) and avoid evaluating arbitrary strings.
- Sanitize and avoid interpolating user-provided strings into shell commands. Use child_process spawn with argument arrays or validated tokens/currency names.
- Keep maxDailySpend and x402MaxPerRequest very low during testing and ensure logging/alerts are routed to a channel you control.
- Consider running the skill with a dedicated MoonPay account or test wallet that only holds limited funds.
- Final decision guidance: if you need autonomous on-chain top-ups and are comfortable reviewing and hardening the code (implement whitelist/kill-switch, remove eval, sanitize inputs), this skill is usable. If you cannot review and secure it, do not grant it access to a funded MoonPay account — treat it as suspicious and test only with minimal funds.src/monitor.ts:60
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk974srgf0mppw75eq335c0z1js83crvr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⛽ Clawdis
Binsmp