ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Launchpad

v2.0.1

Reference tool for blockchain and crypto — covers intro, formulas, regulations and more. Quick lookup for Launchpad concepts, best practices, and implementat...

0· 88·0 current·0 all-time
byBytesAgain2@ckchzh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The top-level SKILL.md and scripts/script.sh implement a read-only reference (intro, formulas, regulations, etc.), but the package also includes skills/launchpad/SKILL.md and skills/launchpad/scripts/script.sh that implement a data-entry CLI (status, add, list, search, remove, export, config) which stores data under $HOME/.launchpad. Those two sets of functionality conflict, and the nested SKILL.md references scripts/script.sh (a path that may resolve to the other script), creating ambiguity about which behavior will be invoked.
!
Instruction Scope
The primary SKILL.md states outputs are static heredocs and no network/credentials are used, which matches the top-level script. However, the embedded skill instructions instruct running a CLI that reads/writes files, uses an optional LAUNCHPAD_DIR env var, and manipulates local files (data.jsonl, config.txt). The runtime instructions are therefore not uniform across the package and include file I/O that is not declared in the primary documentation.
Install Mechanism
There is no install spec (instruction-only), which minimizes supply-chain install risk. However the bundle includes two executable shell scripts that would be present on disk when the skill is added; those scripts may be executed by the agent and perform filesystem operations. No external downloads or obscure URLs are used.
Credentials
No required environment variables or credentials are declared. The scripts optionally respect LAUNCHPAD_DIR (defaulting to $HOME/.launchpad), which is reasonable for a local CLI but is not listed in the primary metadata — an informational mismatch rather than an overbroad secret request.
Persistence & Privilege
always:false (normal). The nested CLI persists data and config under ~/.launchpad (or LAUNCHPAD_DIR). Local persistence is plausible for a notes/entries CLI, but the presence of persistent writes is not communicated consistently in the top-level SKILL.md — check that you accept local file writes before installing.
What to consider before installing
This package contains two different skill descriptions and two different scripts whose behaviors do not match. Before installing: (1) Inspect which SKILL.md your agent will use and which script it will invoke — the top-level script is read-only reference content; the nested script stores data under ~/.launchpad. (2) If you are uncomfortable with local file writes, do not install or run the skills/launchpad script; you can set LAUNCHPAD_DIR to a sandbox directory if you test it. (3) Review the scripts (they are plain shell) for any actions you don't want (they perform sed -i and write files). (4) Run the skill in a sandbox or container first to verify behavior. If you want a purely read-only reference, prefer the top-level script and remove/ignore the skills/launchpad CLI files.

Like a lobster shell, security has layers — review code before you run it.

latestvk979atea4f8a4tqj2yhmq2pdh183g3fd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments