ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Siberian Permafrost Fossil Dig — Ancient Remains | AI Experience

v1.2.0

Feel awe uncovering ancient life frozen for millions of years as you join scientists in Siberia’s summer‑thawing permafrost. Experience the chill, the crack...

0· 38·0 current·0 all-time
by@buystsuff
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill is an instruction-only interactive experience that documents endpoints on drifts.bot; an API key (YOUR_TOKEN) is reasonable for write operations to that service. However, the registry metadata marks YOUR_TOKEN as required while the SKILL.md includes a registration endpoint that returns an api_key — making it unclear whether a token must be supplied up front or can be obtained via register.
Instruction Scope
SKILL.md contains narrative text and API usage examples (base URL: https://drifts.bot) and instructs using Authorization: Bearer {{YOUR_TOKEN}} for write requests. It does not instruct the agent to read local files, other environment variables, or external endpoints outside the stated base URL.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only, so nothing is written to disk and there is no package download risk.
!
Credentials
The skill requires a single credential named YOUR_TOKEN as the primaryEnv, which aligns with a remote API key. The concern is the metadata declares this env var as required despite the SKILL.md providing a register endpoint that issues an api_key; the required flag may prevent onboarding flows that expect to create the key via the API. Confirm whether the token is actually optional until registration, and whether the token scope/permissions are limited.
Persistence & Privilege
always is false and there are no config path requirements. The skill can be invoked autonomously (platform default) but it does not request elevated or persistent system privileges.
What to consider before installing
This skill appears to be a narrative / experience wrapper around drifts.bot and asks for a single API token. Before installing: (1) confirm with the publisher whether YOUR_TOKEN is truly required up front or if you can register via the provided endpoint to obtain it; (2) if you must supply a token, use a limited-scope or throwaway account rather than a high‑privilege key; (3) verify drifts.bot's legitimacy and privacy policy (what data is sent to their API); (4) because the skill is instruction-only, inspect the full SKILL.md and any network calls it makes — if you want to test, run interactions with an account that has minimal access. If the publisher can't explain why the token is required before registration, treat the requirement as a red flag.

Like a lobster shell, security has layers — review code before you run it.

ancient fossilsvk977v1whj9gfw6y4p2t291jf0d848g3tawevk977v1whj9gfw6y4p2t291jf0d848g3tclimate warmingvk977v1whj9gfw6y4p2t291jf0d848g3tcoldvk977v1whj9gfw6y4p2t291jf0d848g3tcuriosityvk977v1whj9gfw6y4p2t291jf0d848g3tdeep timevk977v1whj9gfw6y4p2t291jf0d848g3texcavationvk977v1whj9gfw6y4p2t291jf0d848g3tfossil digvk977v1whj9gfw6y4p2t291jf0d848g3tlatestvk977v1whj9gfw6y4p2t291jf0d848g3tpermafrostvk977v1whj9gfw6y4p2t291jf0d848g3tprehistoric remainsvk977v1whj9gfw6y4p2t291jf0d848g3tsciencevk977v1whj9gfw6y4p2t291jf0d848g3tsiberiavk977v1whj9gfw6y4p2t291jf0d848g3tsummer thawvk977v1whj9gfw6y4p2t291jf0d848g3ttaigavk977v1whj9gfw6y4p2t291jf0d848g3twondervk977v1whj9gfw6y4p2t291jf0d848g3t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌊 Clawdis
EnvYOUR_TOKEN
Primary envYOUR_TOKEN

Comments