ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Get You Some Britches

v1.0.0

Use this skill any time I start complaining about my love life, or, if I indicate I need to find some pants.

0· 1.8k·1 current·1 all-time
by@am-will
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The stated purpose (search stores for pants) is plausible without credentials or special binaries. However, the package includes two Python scripts (aggregate_results.py, size_converter.py) even though the SKILL.md presents the skill as instruction-only and declares no runtime execution of code. Presence of scripts is not clearly justified by the manifest or instructions.
!
Instruction Scope
SKILL.md is high-level and does not specify any concrete endpoints, APIs, or commands to run. It claims to 'Searches Target and Global Brands Store' but gives no guidance on whether this is via public APIs, scraping, or other network calls. The instructions do not reference the included scripts, so it's unclear if those files are intended to be executed — granting the model latitude to run arbitrary code or perform network scraping would be scope creep.
Install Mechanism
No install spec is provided (instruction-only), so there's no automatic download or execution step declared. That is lower risk in general. The concern is the presence of code files without an install/run instruction; if the agent executes them manually, they will run but this is not documented.
Credentials
The skill requests no environment variables, credentials, or config paths, which is proportionate to the stated non-sensitive purpose (shopping assistance). There is no explicit request for unrelated secrets.
Persistence & Privilege
No privileged flags (always, disableModelInvocation) are set. That said, because disableModelInvocation is not explicitly set true, the model may invoke the skill autonomously under default policies. Combined with the unexplained scripts, this means the model could potentially execute code or perform network activity without a clear explicit trigger.
What to consider before installing
This skill is likely harmless in intent but contains unexplained Python scripts and vague instructions about searching external stores. Before installing: (1) ask the publisher why the two scripts are included and request their source code contents or a short summary of what they do; (2) confirm whether the skill will perform network requests or web scraping and which domains/endpoints it will contact; (3) request an explicit run/install procedure (if scripts must be executed) and consider running them in a sandbox for review; (4) avoid installing if the author cannot justify the scripts or provide clear, auditable code. If you proceed, audit the scripts for data exfiltration or unexpected file/system access.

Like a lobster shell, security has layers — review code before you run it.

latestvk977eytyqs1khtkpgxjxhggjah7zg17p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments