Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ephemeral Media Hosting
v1.0.0自動削除機能付き一時メディアホスティングシステム
⭐ 0· 1.5k·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (ephemeral media hosting) align with the provided content: directory layout, nginx site config, upload handling, MIME validation, and a cleanup cron. There are no unrelated credential or service requirements.
Instruction Scope
SKILL.md contains concrete shell scripts and nginx configs that will create system directories under /var/www, write a config file, install a cron entry, and references editing /etc/nginx — all consistent with installation of a web-hosting service. These instructions do not appear to read or exfiltrate unrelated files, but they do instruct high‑privilege actions (sudo, crontab, writing /etc/nginx) and so must be run only after manual review.
Install Mechanism
No install spec and no code files — this is instruction-only. That reduces supply-chain risk (no remote archive downloads or packages). The user/administrator is expected to run the provided commands themselves.
Credentials
The skill requests no environment variables, credentials, or config paths. The included config.env is for local settings (file size, retention, allowed MIME types) and contains no secrets. No disproportionate credential access is requested.
Persistence & Privilege
The skill does not request 'always' or permanent platform privileges, but following its instructions will create persistent system state (nginx site, cron job, files under /var/www, log files). Those changes require root-level permissions and have ongoing effects, so exercise standard operational caution.
Assessment
This skill is coherent for setting up an ephemeral media host, but it contains commands that modify system configuration and create persistent services (write to /etc/nginx, create /var/www files, add a crontab). Before running anything: 1) review every script line-by-line (don’t run blindly), 2) run setup steps as an administrator on a disposable or containerized host if possible, not your primary machine, 3) ensure the upload backend (127.0.0.1:8080 or PHP-FPM) is implemented securely and won’t accept executable or dangerous file types, 4) verify the MIME validation logic and do not rely only on file extensions, 5) restrict filesystem permissions (run services as a dedicated unprivileged user) and lock down nginx to avoid path traversal, and 6) consider additional virus/malware scanning and stricter rate limits for public upload endpoints. If you want, I can (a) walk through each script and point out risky commands, (b) suggest safer defaults (containerized deployment, reduced permissions, SELinux/AppArmor guidance), or (c) produce a hardened variant of these scripts.Like a lobster shell, security has layers — review code before you run it.
latestvk97fggy2sr26h645nncrxe27fd80f8dx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.