Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
CLIProxy FREE API
v1.0.0Deploy and configure CLIProxyAPI, expose its dashboard safely, connect OAuth providers like Claude Code, Gemini, Codex, Qwen, and iFlow, generate a reusable...
⭐ 0· 115·0 current·0 all-time
by@ayder21
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (install CLIProxyAPI, expose dashboard, add OAuth providers, produce an API endpoint/key, integrate with OpenClaw) matches the included documentation and the single smoke-test script. Nothing in the bundle requests unrelated credentials or capabilities.
Instruction Scope
SKILL.md instructs the agent to inspect the host environment (OS, presence of Docker/systemd/nginx/Caddy, firewall state) and to perform deployment and reverse-proxy configuration. These actions are coherent with installing a server-side service but imply the operator or agent will need local system access and possibly elevated privileges; the skill does not attempt to read or exfiltrate unrelated files or env vars in its instructions.
Install Mechanism
This is an instruction-only skill with no install spec. That is low-risk: it won't automatically download/execute code. The included references advise cloning upstream and running its install steps, which is expected for a deployment helper.
Credentials
No environment variables or credentials are declared or required by the skill package itself, which is appropriate since OAuth tokens and API keys are expected to be provisioned inside the deployed CLIProxy instance or entered interactively. The docs explicitly treat API keys and OAuth tokens as sensitive. Users should note the skill will ask them to capture and share base URLs, keys, and model names for integration—these are necessary for the stated task but must be handled securely.
Persistence & Privilege
The skill does not request persistent always-on inclusion, nor does it modify other skills or system-wide agent settings in the package. It only contains guidance and a smoke-test script; no background daemon or automatic persistence is installed by the skill itself.
Assessment
This skill appears coherent and focused on deploying and integrating CLIProxyAPI. Before proceeding: (1) verify the upstream CLIProxy project you will clone — this skill has no homepage/source URL in its metadata, so confirm the correct project repository and trustworthiness; (2) be prepared to run commands that may require sudo/root rights and to create systemd units or reverse-proxy configurations—review commands before executing; (3) never paste OAuth client secrets or long-lived API keys into public chat—treat them as sensitive and use secure transfer methods; (4) when exposing the dashboard publicly, follow the reverse-proxy and HTTPS guidance and confirm firewall rules and reachable URLs; (5) the included smoke-test script will send your API key in curl requests—avoid running it in logs or contexts where the key might be captured. If you want tighter assurance, ask the skill author for the exact upstream repository URL and for an explicit checklist of commands the agent will propose before executing anything on a host.Like a lobster shell, security has layers — review code before you run it.
latestvk976yfd4ezb6dqrjh3e0h7ahfh83gejz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
OSLinux · macOS