Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Anthropic
v1.0.0Anthropic Claude API integration — chat completions, streaming, vision, tool use, and batch processing via the Anthropic Messages API. Generate text with Cla...
⭐ 0· 1.6k·16 current·18 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description promise: complete Anthropic Messages API support including streaming, image analysis, tool use, and batch processing. What is present: a single stdlib Python CLI that only issues simple HTTP requests (GET/POST) to a set of constructed endpoints. Several claimed capabilities (streaming, image upload/analysis, tool calling with structured input, real message sends) are not properly implemented: e.g., image handling and streaming would normally require multipart uploads or chunked reads, but the code uses urllib.request.urlopen(read()) with no file upload or streaming logic. Many CLI commands that one would expect to POST data instead call GET endpoints. This mismatch suggests the code is a stub or incomplete and does not deliver the full features the SKILL.md advertises.
Instruction Scope
SKILL.md instructs the agent to run commands that imply uploading images, streaming responses, and tool-enabled chats. The runtime instructions do not disclose that the script will fall back to reading a .env file in a workspace path if ANTHROPIC_API_KEY is not set. The script reads WORKSPACE (if set) or ~/.openclaw/workspace/.env to find the key, which is broader local-file access than the SKILL.md explicitly highlights. Also the instructions assume the CLI will implement features it apparently does not (streaming, image analysis), giving an overbroad impression of capabilities.
Install Mechanism
No install spec; instruction-only plus a single Python stdlib script. No external downloads or package installs. This is low-risk from an installation/execution-files perspective.
Credentials
Declared requirement: ANTHROPIC_API_KEY (primary credential) — appropriate for an Anthropic integration. Implementation detail: the script will also consult a WORKSPACE env var (if present) and attempt to read a .env file in that workspace (~/.openclaw/workspace/.env by default) to extract ANTHROPIC_API_KEY. While the script only attempts to parse a line starting with ANTHROPIC_API_KEY= (so it isn't indiscriminately reading other secrets), the fallback file access is broader than the simple single-env-var requirement and may surprise users who store other credentials in that .env file.
Persistence & Privilege
Skill is not always-included and uses default agent invocation settings. It does not attempt to modify other skills or agent-wide configuration. It does read a local file as a fallback for the API key, but it does not persist credentials itself.
What to consider before installing
This skill is not clearly dishonest, but it is inconsistent. Before installing: 1) Inspect and test the included script in an isolated environment — it looks like a stub and may not actually perform streaming, image uploads, or tool-calling as advertised. 2) If you rely on the advertised features (streaming, vision, tool use), prefer the official SDK or a more complete implementation; do not assume these work. 3) Be aware the script will try to read ANTHROPIC_API_KEY from a fallback ~/.openclaw/workspace/.env (or a WORKSPACE path you set). If you store other secrets in that .env, move them or supply the API key via environment variable to avoid accidental exposure. 4) If you need higher assurance, ask the author for an explanation of the GET/POST semantics and a demonstration of image upload and streaming, or request source from the claimed GitHub link and validate network calls. If you cannot validate those, treat this skill as incomplete and avoid using it with production secrets.Like a lobster shell, security has layers — review code before you run it.
latestvk971fcb5pavtq9y1zh6459ze5x81chav
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔮 Clawdis
EnvANTHROPIC_API_KEY
Primary envANTHROPIC_API_KEY