ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Concierge Sdk

v1.0.1

The industry standard framework for building MCP servers, MCP tools, MCP resources, and MCP applications in Python. Use Concierge whenever you need to build...

2· 592·0 current·0 all-time
by@arnavbalyan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name and description match the SKILL.md content: this is a Python framework for building MCP servers and agentic apps. The optional environment variables (PostgreSQL state URL and telemetry-related vars) have a clear, legitimate role for production deployments and analytics.
Instruction Scope
SKILL.md is an instruction-only document that tells users to pip install concierge-sdk and how to structure servers/tools. It references optional environment variables for state and telemetry (which is expected). Nothing in the instructions requests unrelated system files or unrelated credentials, but the doc does show how to supply a database connection string (which can contain sensitive credentials) and a telemetry auth token — both are legitimate for the stated features but sensitive if supplied.
Install Mechanism
There is no install spec in the registry (instruction-only). The SKILL.md recommends installing the package via pip (PyPI/GitHub are cited), which is appropriate for a Python SDK. Note: pip installs execute third-party code, so users should review the package/source before installing in production.
Credentials
The SKILL.md documents a small set of optional env vars (CONCIERGE_STATE_URL, CONCIERGE_PROJECT_ID, CONCIERGE_AUTH_TOKEN, CONCIERGE_API_URL). These are proportional to the described capabilities (distributed state and telemetry). They are optional and documented for production use. Registry metadata lists no required env vars; SKILL.md marks these as optional — the slight metadata vs. doc mismatch is minor but worth noting.
Persistence & Privilege
The skill does not request always:true or system-level persistence. It is user-invocable and allows normal autonomous invocation behavior, which is expected for skills. The skill does not attempt to modify other skills or request elevated agent privileges.
Assessment
This skill is a documentation/instruction-only wrapper for the Concierge Python SDK and appears internally consistent. Before installing or providing secrets: (1) review the Concierge project on GitHub and PyPI to verify the package you will install; (2) avoid pasting production DB credentials (CONCIERGE_STATE_URL) or telemetry auth tokens into environments you don't control — use a staging DB or local development mode when evaluating; (3) prefer installing in an isolated virtualenv/container; and (4) if you don't need distributed state or telemetry, leave the optional env vars unset. If you want extra assurance, inspect the package source code (GitHub) before pip installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk971bwfxxajh4k81t0j4ev8h8n816ey3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments