ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Carsxe

v1.0.3

Access the full suite of CarsXE vehicle data APIs — VIN decoding, license plate lookup, market value, vehicle history, safety recalls, lien/theft checks, OBD...

0· 132·1 current·1 all-time
byOmar Walied@0marwalied
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the instructions and reference material: the skill is a wrapper for CarsXE vehicle-data endpoints (specs, plate decode, history, recalls, OBD, OCR, etc.). That capability set is coherent for the stated purpose. However, the registry metadata lists no required environment variables/primary credential while SKILL.md explicitly requires a CarsXE API key — a metadata/instruction mismatch.
Instruction Scope
SKILL.md prescribes calling CarsXE REST endpoints and chaining queries (plate → VIN → specs/history). It does not direct the agent to read unrelated system files, other env vars, or external endpoints beyond api.carsxe.com. It does instruct sending image URLs for OCR to the API — expected for the feature but sensitive because it sends user images/PII to the external service.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing will be written to disk or downloaded at install time. That reduces install-time risk.
!
Credentials
SKILL.md requires the user to supply a CarsXE API key for every request, but the registry metadata declares no required env vars or primary credential. The skill will need a secret (API key) to function; the absence of a declared credential is an inconsistency that affects how the platform will handle key storage and permissions. Also, because the API handles VINs/plates and images, any supplied key will grant access to potentially sensitive personal data; ensure the key is scoped/limited and stored securely.
Persistence & Privilege
Flags show no always:true and default autonomous invocation is allowed (platform default). The skill does not request persistence or system-wide config changes in its instructions.
What to consider before installing
This skill appears to be a straightforward CarsXE API client, but note two things before installing: (1) Metadata omits the required API key — ask the publisher or the registry how the key will be provided and stored (do not paste your key into public chat). The skill's instructions expect you to supply the CarsXE key at runtime; confirm whether the platform will store it securely as a secret/env var. (2) The skill sends VINs, license plates, and image URLs to api.carsxe.com (sensitive PII). Confirm you trust CarsXE and the skill owner, check the official CarsXE docs and domain, and prefer limited/rotatable API keys. If you need stronger assurance, request the publisher add explicit required env var metadata and a privacy statement describing how keys and uploaded images are handled.

Like a lobster shell, security has layers — review code before you run it.

latestvk977a987b45vcjncatrr5n66hn83zp7z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments