ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Kleo Static files

v1.0.0

Host static files on subdomains with optional authentication. Use when you need to serve HTML, images, CSS, JS, or any static content on a dedicated subdomain. Supports file upload, basic auth, quota management, and automatic SSL via Caddy. Commands include sf sites (create/list/delete), sf upload (files/directories), sf files (list/delete).

0· 1.7k·0 current·0 all-time
by@awaaate
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (serve static files on subdomains with auth) matches the CLI surface, helper script, and install docs. However the registry metadata declares no required environment variables or credentials while the SKILL.md and scripts clearly require SF_API_URL, SF_API_KEY and optionally SF_DOMAIN and paths under /opt and /etc — this metadata omission is inconsistent and should be clarified.
Instruction Scope
Runtime instructions and helper script stay within the stated purpose: creating sites, uploading files, setting auth, and managing Caddy/sys service. Troubleshooting steps reference systemctl, /etc/caddy, and local API health checks which are expected for a server component. There is no instruction to read or exfiltrate unrelated host secrets in the provided docs/scripts.
!
Install Mechanism
Installation relies on running remote installers (curl https://raw.githubusercontent.com/... | sudo bash) and other third-party installers (bun.sh, Caddy repo scripts). Executing remote scripts as root and piping them to sudo bash is high-risk; users should inspect the installer contents before executing and prefer manual install steps or running inside an isolated VM/container.
!
Credentials
The skill requires an API key (SF_API_KEY), API URL (SF_API_URL), domain settings (SF_DOMAIN), and writes/reads service files under /opt, /etc and /var — all reasonable for a hosting service, but the registry declared none. The mismatch between declared requirements and actual instructions reduces transparency and could lead to accidental exposure of the API key or misconfiguration if users don't notice the env requirements.
Persistence & Privilege
The installer and docs instruct creating a systemd service, installing files under /opt, and modifying Caddy configuration — this creates a persistent, system-level component (expected for a self-hosted server). The skill itself is not force-enabled (always:false), but installing it requires root privileges and changes to system-wide services, so take standard precautions.
What to consider before installing
This skill appears to be what it claims (a self-hosted static-file server), but there are concerns you should address before installing: - The registry metadata does not list environment variables that the SKILL.md and helper script require (SF_API_URL, SF_API_KEY, SF_DOMAIN). Treat that omission as a red flag and insist the author fix the metadata or provide explicit install notes. - The installation instructions run remote scripts with sudo (curl ... | sudo bash) and pull installers from bun.sh and raw.githubusercontent.com. Do NOT run those blindly as root. Inspect the installer scripts first (download and open them locally) or follow the manual install steps in references/install.md inside an isolated VM or container. - Installing will create systemd services and modify Caddy configuration (/etc/caddy) and write under /opt and /var — backups and a review of the systemd unit and Caddy snippets are recommended. - The service issues/returns an API key; treat that key as sensitive. Create a scoped API key, store it securely, and rotate/revoke it if you stop using the service. - If you only need to use the CLI against an existing service, avoid running the installer: just set SF_API_URL and SF_API_KEY in your environment and use the CLI/helper script after reviewing it. If you want to proceed safely: review the installer script contents, prefer manual installation steps, run in a disposable VM/container first, and verify any API keys produced before using them in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk972acbbat41xgv30880g714f1809w84

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments