ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

NPkill

v1.0.1

Clean up node_modules and .next folders to free up disk space using npkill. Specifically designed to help JavaScript and Next.js developers remove accumulated build artifacts that consume significant storage. Provides both interactive and automated cleanup options with safety checks to protect important system directories.

0· 2k·0 current·0 all-time
by@ashirbadgudu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (cleaning node_modules and .next) matches the instructions (run npkill, options for target, dry-run, directory, exclusion). Requiring the npkill CLI (via npm) is appropriate for this purpose. The SKILL.md does not ask for unrelated credentials or system services.
Instruction Scope
Instructions are narrowly scoped to searching for and deleting build artifact folders and include safety recommendations (dry-run, interactive, exclusions, warnings). The only risk in the instructions is the documented automated delete option (--delete-all --yes), which is destructive by design; the skill advises using dry-run and interactive modes first.
Install Mechanism
This is an instruction-only skill with no install spec, so it does not itself write code to disk. It instructs users to run `npm install -g npkill` to obtain the CLI. Installing a global npm package is a standard approach but does pull code from the npm registry — verify the package name, publisher, and version before installing (source/homepage in the skill metadata is unknown).
Credentials
No environment variables, credentials, or config paths are requested in the skill or SKILL.md, which is proportional for a local filesystem cleanup tool.
Persistence & Privilege
The skill is not marked always:true and does not request persistent or cross-skill configuration. It does not ask to modify other skills or system-wide agent settings.
Assessment
This skill appears coherent and does what it says — it is a wrapper documenting use of the npkill CLI. Before installing or running anything: 1) verify the npm package (npkill) publisher and version on the npm registry to ensure you get the official tool; 2) run `npkill --dry-run` and use interactive mode before any automated deletion; 3) be careful with `--directory` and `--delete-all --yes` since they can delete large sets of folders; 4) installing global npm packages requires elevated permissions on some systems — consider using a constrained environment if you are unsure about the package source.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fjrxy57dr6x3867805jnfcx80165m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments