ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nm Gauntlet Graph Search

v1.0.0

Search the code knowledge graph by function, class, or type name using FTS5 full-text search with query-aware kind boosting

0· 36·1 current·1 all-time
by@athola
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's stated purpose (FTS5 search of a code knowledge graph) is consistent with the instructions to run a graph_query.py script against .gauntlet/graph.db. However, the SKILL.md expects a runtime environment (CLAUDE_PLUGIN_ROOT, python3) that the registry metadata does not declare — a minor incoherence.
Instruction Scope
Instructions are narrowly scoped to running the plugin's graph_query.py against .gauntlet/graph.db and optionally reading the matched source file. The instructions do not ask the agent to exfiltrate results to external endpoints or to read unrelated system-wide files.
Install Mechanism
There is no install spec (instruction-only), so nothing will be downloaded or written by the registry itself. Risk comes from running a local script (plugin's scripts/graph_query.py) at runtime, which is expected for this kind of plugin.
!
Credentials
SKILL.md uses the CLAUDE_PLUGIN_ROOT environment variable and invokes 'python3', but the registry lists no required env vars or binaries. This mismatch is concerning because the skill depends on an undeclared environment and an executable that may or may not be present — and the script executed could read arbitrary files under the plugin root.
Persistence & Privilege
The skill does not request persistent/always-on presence and does not modify other skills or global agent configuration according to the metadata.
What to consider before installing
This skill appears to do what it says (search a local .gauntlet/graph.db) but the SKILL.md expects CLAUDE_PLUGIN_ROOT and calls python3 even though the registry lists no required env or binaries. Before installing or running it: 1) verify that CLAUDE_PLUGIN_ROOT will be set to a trusted plugin checkout; 2) inspect the file scripts/graph_query.py in that repository to confirm it only reads the graph and source files you expect; 3) ensure python3 is available in a controlled/sandboxed environment; 4) only run this if you trust the plugin source or after reviewing the script — otherwise run the search in a sandbox or request the skill author to declare required env vars and binaries explicitly.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cqpd7sags34xw30yj4ndx6984qn23

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦞 Clawdis

Comments