ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Diataxis Writing

v1.2.1

Diataxis documentation framework practice guide. Provides diagnosis, classification, templates, and quality assessment for four documentation types (Tutorial...

0· 447·0 current·0 all-time
byamumu@amumulam
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, templates, checklists and diagnosis functionality all match a documentation-authoring skill. Supporting multiple output targets (chat, local markdown, GitHub, Feishu/MCP) is reasonable for this purpose. However the skill neither declares required credentials (e.g., GitHub token, Feishu/MCP config) nor required binaries for some outputs (mcporter/Node.js for MCP), which is an incomplete alignment between claimed capabilities and declared requirements.
!
Instruction Scope
SKILL.md instructs the agent to run the bundled script python3 scripts/output-handler.py --detect to auto-detect available tools and to "test connection to Feishu MCP server" and to check MCP config files (mentions /root/config/mcporter.json and ~/.mcporter/mcporter.json). That implies the script will read local config files (including an absolute /root path) and perform network operations. Those actions go beyond purely generating text and could expose local configuration or attempt outgoing network connections. The instructions do not explicitly require user-supplied credentials or clarify what the detection/test does with any found configs.
Install Mechanism
There is no external install spec — the skill is instruction-plus-bundled-scripts only. No remote downloads or package installs are declared, which reduces supply-chain risk. The changelog indicates the scripts add output-management and an error-logs directory (i.e., the skill may write files locally), but nothing in the manifest shows it pulls arbitrary code from external URLs.
!
Credentials
The registry metadata declares no required environment variables or credentials, but the skill supports outputs (Feishu via mcporter, GitHub repository) that normally require tokens/configuration. SKILL.md references specific config file paths (including /root) and expects mcporter to be installed/configured; these are sensitive locations and privileges not reflected in the declared requirements. The absence of declared env vars while instructing access to local config and external services is disproportionate and unclear.
Persistence & Privilege
always:false and autonomous invocation are unchanged (normal). The changelog and README mention error-logging and output handlers — the skill will likely create local files (error logs, local markdown outputs) and may write to chosen output destinations (GitHub, Feishu). It does not request permanent platform-wide privileges or indicate it modifies other skills, but it will have the ability to write files and perform network IO when invoked.
What to consider before installing
This skill largely does what its description promises (templates, checklists, diagnosis), but the runtime scripts can read local configuration files and test external services (Feishu via MCP, GitHub) and may create local logs or outputs. Before installing or running it, review the two bundled scripts (scripts/output-handler.py and scripts/diagnose.py) to see exactly which files they read, what network calls they make, and whether they send any sensitive data. If you plan to use Feishu or GitHub outputs, expect to provide credentials — prefer giving those interactively and not storing secrets in global locations. If you are unsure, run the skill in a sandbox/container or with network disabled, or ask the maintainer for explicit documentation of what the detection/test step does and where logs/configs are read/written.

Like a lobster shell, security has layers — review code before you run it.

diataxisvk97cp7trvh0f60smmjj5xk31x981v6nddocumentationvk97cp7trvh0f60smmjj5xk31x981v6ndlatestvk97cp7trvh0f60smmjj5xk31x981v6ndwritingvk97cp7trvh0f60smmjj5xk31x981v6nd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments