ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Talkspresso

v1.0.0

Manage a Talkspresso business (services, appointments, products, clients, earnings, calendar) using the Talkspresso REST API. Use when the user wants to chec...

0· 584·0 current·0 all-time
by@baron-talkspresso
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description align with the requested capability: all API endpoints and actions in SKILL.md and references/api.md target api.talkspresso.com and relate to profile, services, products, appointments, clients, earnings, calendar, etc. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Runtime instructions are explicit and scoped to Talkspresso API calls (curl + jq). They instruct the agent to call only Talkspresso endpoints and to use the TALKSPRESSO_API_KEY. Minor mismatch: SKILL.md assumes presence of curl and jq but the skill's declared requirements do not list required binaries; this is a usability/visibility gap rather than a security mismatch.
Install Mechanism
No install spec or code is included (instruction-only). Nothing will be downloaded or written to disk by the skill itself, which minimizes installation risk.
Credentials
Only TALKSPRESSO_API_KEY is required, which is proportionate to the documented REST API usage. No unrelated secrets or multiple credentials are requested.
Persistence & Privilege
always:false and default invocation settings; the skill does not request persistent system privileges or modify other skills. Autonomous invocation is allowed (platform default) but is not combined with other concerning factors here.
Assessment
This skill appears to do what it says: it will make API requests to https://api.talkspresso.com using the TALKSPRESSO_API_KEY. Before installing/using it: (1) only provide an API key you control and understand — prefer a key with limited scope or rotate it after use; (2) be aware any data the agent sends/receives (appointments, client info, earnings, files) will go to Talkspresso; (3) ensure the host environment has curl and jq available (SKILL.md assumes them); (4) do not paste your API key into chat logs or public places; (5) if you have privacy or compliance concerns about transmitting client data, avoid granting access or test with a non-production account. Overall the components are internally consistent and proportionate.

Like a lobster shell, security has layers — review code before you run it.

latestvk973yvgdybrgfgq2f1sdf2p9ph81cqgk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
EnvTALKSPRESSO_API_KEY

Comments