clawbazaar-skill

[Skill Scanner] Installation of third-party script detected The skill appears functionally consistent with a Supabase-backed CLI for an NFT marketplace, but it documents and encourages high-risk practices: accepting/sending raw private keys to server-side endpoints and storing keys in shared env files without mitigation guidance. These behaviors are not clearly malicious but are security-dangerous and disproportionate to the claimed purpose; treat the skill as suspicious and audit the actual CLI code and remote Supabase functions before use. Do not send private keys to third-party servers and prefer local signing. LLM verification: No clear signs of deliberately malicious code are present in the documentation alone, but the skill contains risky design choices that make it suspicious for supply-chain and credential-exfiltration concerns. The major red flag is the documented option to POST a user's private_key to a server-side API endpoint to have Supabase perform on-chain purchases — this enables easy leakage or misuse of private keys and is disproportionate to a CLI marketplace skill. Other issues: default publishable anon