ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Unified Find Skills

v1.0.0

Helps users discover and install agent skills from skills.sh, clawhub.com, and tessl.io. Use when the user asks to find a skill for a task, extend agent capa...

0· 881·5 current·5 all-time
byBowen Dwelle@bdwelle
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the instructions: the SKILL.md only searches three registries (skills.sh, clawhub, tessl.io) and provides install commands. No unrelated secrets, binaries, or system-level accesses are requested.
Instruction Scope
Instructions remain within the scope of searching and installing skills, but they recommend running network commands (npx, curl, grep) and installing third‑party CLIs (npm install -g clawhub, tessl CLI). These are expected for this purpose but involve executing code fetched from the network—users should review packages/URLs before running installs.
Install Mechanism
This is an instruction-only skill (no install spec). It does not install code itself. It instructs the agent/user to use npx, npm, clawhub, tessl, and curl which are standard mechanisms for discovering/installing skills and are proportional to the task.
Credentials
No environment variables, credentials, or config paths are requested. The recommended commands do not attempt to read unrelated system credentials or files.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent privileges. It does not modify other skills or system-wide configuration by itself.
Assessment
This skill appears to do what it says: search registries and suggest install commands. Before running any suggested install commands (npm install -g, npx skills add, tessl/clawhub installs, or curl pipelines), review the package source and repository links yourself. Global installs and automated flags (-g, -y) install code from the network without prompting—consider installing in a sandbox or with a non-root user, and avoid blindly piping curl to shell. If you want additional assurance, ask the skill to first show the exact repository/URL and README for each candidate skill before performing any install.

Like a lobster shell, security has layers — review code before you run it.

latestvk97189mbvh2wds8fg4ymrq797s81cyym

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments