ClawHub

Bonded

v1.0.0

Bonded warehouse reference — customs procedures, duty deferral, FTZ operations, compliance requirements. Use when managing bonded storage, customs clearance,...

0· 98·0 current·0 all-time
by@bytesagain1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the contained assets: an informational SKILL.md plus a bash script that prints guidance on bonded warehousing. Nothing in the manifest or SKILL.md asks for unrelated capabilities (no cloud creds, no unrelated binaries).
Instruction Scope
SKILL.md instructs the agent to run the included scripts/script.sh with simple subcommands (intro, types, procedures, etc.). The shown portion of the script only emits static help text and does not read secrets or external files. Note: the file contents shown in the prompt are truncated near the end, so I cannot fully verify the dispatch/exit logic or the very bottom of the script.
Install Mechanism
No install spec and no remote downloads. The only executable artifact is a local bash script included in the skill bundle — a low-risk install surface if the script is inspected before execution.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. SKILL.md mentions a BONDED_DIR config variable as optional, which is reasonable for storing local data; the visible script portion does not attempt to read credentials or system-sensitive paths.
Persistence & Privilege
The skill does not request always:true and uses default invocation settings. It does not modify other skills or system configuration in the visible content. Autonomous invocation is allowed by platform default but is not a special privilege here.
Assessment
This skill appears to be an offline reference that prints bonded-warehouse guidance and does not request credentials or perform network accesses in the visible code. Before installing, review the full scripts/script.sh file (the prompt's file content was truncated) to confirm there are no hidden network calls, file writes outside its own directory, or exec/curl/wget commands at the bottom of the script. If you plan to let the agent run skills autonomously, be aware it will execute that bundled script locally — consider running the script once in a sandbox or with shell tracing (bash -x) to confirm behavior. Only install if you trust the skill source (github.com/bytesagain) or after a quick manual inspection of the entire script.

Like a lobster shell, security has layers — review code before you run it.

latestvk977h4jkja8mvjabgs99ggx20583b929

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments