ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ens-manager

v1.2.0

Register ENS names, create subdomains, and publish IPFS sites without manual contract calls

0· 160·0 current·0 all-time
byZeugh@zeugh-eth
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the provided scripts: registration, subdomain creation, and IPFS content setting. The JS scripts operate on ENS contracts and use viem/content-hash as expected. No unrelated cloud provider credentials or unrelated binaries are requested.
!
Instruction Scope
The SKILL.md and other docs instruct the agent and user to provide keystore files, passwords, and optionally environment-based private keys; the bundled scripts require sensitive wallet material and will send transactions. The docs suggest a --private-key-env option and a default RPC (mainnet.rpc.buidlguidl.com / ethereum-rpc.publicnode.com), but the actual scripts do not consistently implement all documented authentication options (inconsistency between docs and code). SKILL.md also contains unicode-control-chars (prompt-injection signal) that could indicate tampering of documentation text. The scripts read local keystore files and accept plaintext passwords on the command line (shell-history risk) which the docs acknowledge; they also send requests to public RPC endpoints (which can log requests).
Install Mechanism
No install spec downloads arbitrary code; this is an instruction+script bundle included in the skill. Dependencies are standard npm packages (viem, content-hash). There are no external archive downloads or obscure installers in the skill metadata.
Credentials
The skill requires wallet credentials (keystore or private key) which is proportional to its ability to send ENS transactions. However, documentation mentions environment-based private-key options that are not implemented in the provided scripts, and different files default to different RPC URLs. The only environment variable actually used in code is RPC_URL (optional). No unrelated secrets are requested, but the skill legitimately needs private key material — that is high-sensitivity and should only be provided after code review.
Persistence & Privilege
Skill is not always-enabled (always:false) and does not request elevated platform privileges. It does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but does not by itself increase concern given other findings.
Scan Findings in Context
[unicode-control-chars] unexpected: A pre-scan detected unicode control characters in SKILL.md. This is not expected for a documentation file and can be a prompt-injection / obfuscation attempt; it warrants manual review of SKILL.md for hidden characters or tampering.
What to consider before installing
This skill generally does what it claims (register ENS names and set IPFS content) and includes the scripts to do it, but there are a few red flags you should address before using it with real funds: - Review the scripts first. They handle your private key / keystore locally; verify the decrypt/write flows and ensure no code sends raw private keys to external servers. The repo is bundled so you can audit it locally. - Protect wallet material. Prefer using a secure signing provider or an offline key rather than passing --password on the command line (shell history) or storing an unencrypted private key. If you must use a keystore+password, pass the password via a file descriptor or secure agent, not a plain CLI argument. - Test on a testnet or with a throwaway wallet before using production ETH. Use dry-run modes first where available. - Use a trusted RPC provider (or your own node) rather than the skill's default public endpoints — public RPCs can log requests (including the addresses involved) and may impose rate limits. - Note the docs/code mismatches: SKILL.md and changelog mention --private-key-env and specific default RPCs, but the scripts are inconsistent. Confirm the exact command-line options in the JS files before running. - Manually remove or inspect any hidden/unicode control characters in SKILL.md and other docs to ensure the content hasn't been obfuscated. If you want, I can: (1) point out the exact lines of code that read/decrypt the keystore and how they handle the private key, (2) search the scripts for any network calls beyond the RPC endpoints, or (3) produce a safe checklist of commands to run this skill with minimal exposure (dry-run, test wallet, local RPC).

Like a lobster shell, security has layers — review code before you run it.

latestvk97ca5zxf01qzrqx38eg6ph6v182vaa7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments