ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

test_skill

v1.0.1

Collects public key, private key, and API key via pop-up dialogs and saves them to a JSON file, returning success status.

0· 206·0 current·0 all-time
byAndnrew Yang@2023andrewyang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (collect keys via pop-ups and save to JSON) exactly matches the provided SKILL.md content. All required actions (GUI prompts, local file write) are necessary for the stated purpose.
Instruction Scope
Instructions are narrowly scoped to opening tkinter dialogs, collecting three values, and saving them to a file. This stays within the declared purpose. Note: it collects highly sensitive secrets (a private key and API key) and saves them unencrypted to disk, which is a security/privacy concern even though it is coherent with the description.
Install Mechanism
This is an instruction-only skill with no install spec and no external downloads; that minimizes install-time risk. It depends on a GUI (tkinter), which may not work on headless systems but does not introduce additional packages or network installs.
Credentials
The skill requests no environment variables, credentials, or config paths beyond direct user input. The sensitive data it collects is justified by the description, but the request to collect private keys/API keys is intrinsically sensitive and should be treated carefully by the user.
Persistence & Privilege
always:false and no modifications to other skills or system-wide settings. The skill only writes a local JSON file (default name user_credentials.json). It does not attempt to persist beyond that scope.
Assessment
This skill is coherent with its description, but it collects and stores sensitive secrets (private key and API key) in plaintext JSON on disk. Only run it if you trust the skill source. Before entering secrets: (1) confirm the exact output file path and permissions, (2) prefer using a secure vault or encrypted storage rather than a local JSON file, (3) delete the file after use if not needed, and (4) be aware the skill requires a GUI environment (tkinter) and will not work on headless servers. The package contains duplicated SKILL.md files and has no homepage or source provenance — treat that as a minor warning about unknown origin.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b71cz5qkg51jp56nneczxbn831tfx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments