ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Looper

v1.2.0

Automate content creation, code improvement, and social media posting via Looper (looper.bot). Use when setting up automated blog posts, continuous code impr...

0· 93·0 current·0 all-time
by@builder-nc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and helper script clearly require a Looper admin key (LOOPER_ADMIN_KEY) and describe GitHub/Stripe/social integrations — that's consistent with the stated purpose. However, the registry metadata lists no required environment variables or primary credential, which is an inconsistency: the skill will not work without LOOPER_ADMIN_KEY and Github/third-party connectivity for some features.
!
Instruction Scope
Instructions focus on API calls to https://api.looper.bot and include examples that create loops which can automatically commit to GitHub and embed third-party API keys inside the prompt payloads. The agent instructions do not read local system files, but they do direct sensitive data (admin key, upload_post_api_key) to the remote service and encourage 'auto' commit mode which gives the service ability to modify your repos.
Install Mechanism
No install spec — instruction-only plus a small helper shell script. Nothing is downloaded from third-party URLs or installed on disk by the skill itself, which keeps install risk low.
!
Credentials
The SKILL.md requires LOOPER_ADMIN_KEY (a powerful tenant-scoped credential) but the registry didn't declare it. Additionally, examples show placing other API keys (e.g., upload_post_api_key) inside loop prompts/target configs; these keys would be transmitted to and stored by the Looper service. Requesting an admin key for the service is proportionate to the functionality, but the omission from registry metadata and the potential for storing many third-party keys is a notable risk.
Persistence & Privilege
The skill is not always-enabled and does not request system-level persistence. However, Looper's 'auto' mode can autonomously commit changes to connected GitHub repos and run scheduled loops; combined with the admin key this grants the external service broad operational ability. Autonomous invocation is the platform default — the real risk comes from the admin key + auto-commit configuration, not from the skill flags.
What to consider before installing
Before installing, confirm you trust https://looper.bot and understand that: - The skill needs a LOOPER_ADMIN_KEY (admin API key) even though the registry metadata omitted it — you must supply this as an environment variable for the helper script and the SKILL to operate. - In 'auto' mode Looper can commit changes to connected GitHub repos; prefer 'propose' (PR) mode during testing and grant the minimal GitHub permissions (use a dedicated bot/service account if possible). - Do not place unrelated high-value secrets (personal API keys, production DB credentials) into loop prompts or target_config; examples show embedding upload_post_api_key in payloads which will be sent to and may be stored by the Looper service. - Verify how Looper stores and logs prompts/keys (privacy/security policy) and rotate keys you provide periodically. - The registry inconsistency (missing required env var) suggests sloppy packaging — ask the publisher to correct the metadata and provide an explicit list of required credentials and recommended least-privilege scopes before you proceed.

Like a lobster shell, security has layers — review code before you run it.

latestvk979303rf68y65jreb5d514csd836e62

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔄 Clawdis

Comments