← Back to Skills Marketplace
65
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install crypto-scam-red-flags
Description
A scam-screening skill that reviews offers, messages, or influencer claims and points out concrete red flags. Use when the user receives a suspicious offer,...
README (SKILL.md)
crypto-scam-red-flags
A scam-screening skill that reviews offers, messages, or influencer claims and points out concrete red flags.
Workflow
- Take the pasted message, offer text, DM, or campaign description.
- Look for urgency, guaranteed returns, impersonation, fake support behavior, secrecy, wallet-drain patterns, or emotional manipulation.
- Classify the situation: likely scam, suspicious, unclear, or low-obvious-risk.
- Explain why each red flag matters.
- Give the safest next step: do not click, verify independently, or walk away.
Output Format
- Risk verdict
- Red flags found
- Why they matter
- Safest next action
- What not to share or sign
Quality Bar
- Uses evidence from the supplied text, not vague fear.
- Stays practical and protective.
- Makes the user safer even when certainty is impossible.
- Avoids false confidence like "100% safe."
Edge Cases
- Some real promotions look spammy; say when independent verification is still needed.
- Cannot inspect links, smart contracts, or domains in real time.
Compatibility
- Best with pasted text or manually transcribed screenshot content.
- Prompt-only, strong complement to wallet safety education.
Usage Guidance
This skill's description and SKILL.md look appropriate for scam screening, but handler.py contains a hard-coded local file read of /Users/jianghaidong/.openclaw/skills/{skill_name}/SKILL.md which is unnecessary and inconsistent. Before installing or enabling autonomous invocation: (1) ask the author why the handler reads that path and request removal or replacement with a safe, relative/resource-based read, (2) review or run the handler.py in a sandbox to confirm it doesn't exfiltrate or read unexpected files, and (3) avoid installing it on systems with sensitive local data until the file-access behavior is corrected. If the author cannot justify or fix the hard-coded path, treat the skill as untrusted.
Capability Analysis
Type: OpenClaw Skill
Name: crypto-scam-red-flags
Version: 1.0.0
The handler.py file contains a path traversal vulnerability in the _load_skill_meta function, which uses an unsanitized skill_name input to read files from the local filesystem. Furthermore, the code contains a hardcoded absolute path to a specific user's directory (/Users/jianghaidong/), which is highly irregular for a portable skill. While there is no explicit logic to exfiltrate the read data, these implementation flaws provide a mechanism for unauthorized file access.
Capability Tags
Capability Assessment
Purpose & Capability
The skill claims to be prompt-only and to work from pasted text; it does not need to access the local filesystem. Yet handler.py calls _load_skill_meta which opens /Users/jianghaidong/.openclaw/skills/{skill_name}/SKILL.md — a hard-coded user-home path. Reading arbitrary local files is not justified by the scam-screening purpose and is disproportionate.
Instruction Scope
SKILL.md describes a prompt-only workflow and does not instruct reading local files. The handler code contradicts that by attempting to read a SKILL.md from a specific local path. That is scope creep: the runtime behavior (file I/O) is not documented in the skill instructions.
Install Mechanism
There is no install spec and no downloads or external installers. No additional packages or network installs are requested, so the install mechanism itself is low-risk.
Credentials
The skill declares no required env vars or credentials (appropriate), but the code accesses a hard-coded filesystem path in the user's home. Access to local files was not declared and is not proportional to the stated purpose.
Persistence & Privilege
The skill is not always-enabled and does not request persistent privileges or modify other skills. Autonomous invocation is allowed by default (normal), and there is no evidence it writes system-wide config.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install crypto-scam-red-flags - After installation, invoke the skill by name or use
/crypto-scam-red-flags - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release — screens crypto-related messages for scam red flags.
- Reviews offers, DMs, and claims, highlighting specific warning signs like urgency, guarantees, impersonation, and secrecy.
- Provides a risk verdict, explains detected red flags, and recommends the safest next action.
- Outlines what sensitive information not to share or sign.
- Ensures suggestions are evidence-based and focused on user safety.
- Stresses caution, never promising any message is "100% safe."
Metadata
Frequently Asked Questions
What is Crypto Scam Red Flags?
A scam-screening skill that reviews offers, messages, or influencer claims and points out concrete red flags. Use when the user receives a suspicious offer,... It is an AI Agent Skill for Claude Code / OpenClaw, with 65 downloads so far.
How do I install Crypto Scam Red Flags?
Run "/install crypto-scam-red-flags" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Crypto Scam Red Flags free?
Yes, Crypto Scam Red Flags is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Crypto Scam Red Flags support?
Crypto Scam Red Flags is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Crypto Scam Red Flags?
It is built and maintained by haidong (@harrylabsj); the current version is v1.0.0.
More Skills