ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawdtm Advisor

v1.0.0

Search, evaluate security, and install OpenClaw skills. Helps your human find the right skills safely.

0· 610·3 current·3 all-time
by@0xmythril
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the behavior in SKILL.md: it queries a public API to search and fetch skill files and returns installation instructions. It does not request unrelated credentials or binaries.
Instruction Scope
The instructions tell the agent to fetch skill files from clawdtm.com and write each returned file into ./skills/{slug}/. This is expected for an installer, but the SKILL.md does not require or document integrity checks, signature verification, or sandboxing of fetched files. It also suggests falling back to running an external tool ('clawhub install {slug}') if files are null, which implicitly assumes that tool exists and is trusted.
Install Mechanism
No install spec or binaries are included; the skill is instruction-only and performs remote HTTP requests to a clearly stated API. This is the lowest-risk install mechanism in the platform model.
Credentials
The skill declares no required environment variables, primary credential, or config paths. SKILL.md also claims the advisor endpoints are public and need no auth; there is no evidence the skill asks for unrelated secrets.
Persistence & Privilege
always is false and the skill does not request persistent presence or elevated privileges. It does instruct writing files into the agent workspace for installs, which is expected for an installer.
Assessment
This advisor skill appears coherent and does what it says: it queries a public API and returns skill files to write into your workspace. Before installing any fetched skill, manually inspect the returned files (especially install/setup scripts), verify any integrity/signatures if available, and avoid automatically executing scripts. Prefer skills with good security scores and human reviews; do not enable high/critical-risk skills unless you explicitly understand and accept the risks. Be cautious about the fallback 'clawhub install' command — confirm that tool is present and trusted before invoking it.

Like a lobster shell, security has layers — review code before you run it.

latestvk978yfxjges0cqz4yk3vemxj19817jqd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis

Comments