ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Regexr

v2.0.0

Create, test, and learn regular expressions with live matching. Use when validating patterns, checking groups, generating regex, linting syntax.

0· 118·1 current·1 all-time
by@bytesagain1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implemented behavior: a CLI regex tool that validates, explains, lints, converts, previews and logs patterns. No unrelated env vars, binaries, or config paths are required.
Instruction Scope
SKILL.md and the script limit their actions to local pattern processing and file-based logging under ~/.local/share/regexr. However, every user-supplied pattern/input is persisted to local log files (history.log and per-command logs), which can include sensitive data. The JSON export implementation is naive and likely to produce malformed output or expose raw contents without escaping.
Install Mechanism
No install spec; this is instruction-only with a bundled bash script. Nothing is downloaded from external URLs or written outside the user's home directory. Risk from install mechanism is low.
Credentials
Skill requests no environment variables or credentials. The data directory is in the user's home and is reasonable for a CLI tool. No unnecessary secrets requested.
Persistence & Privilege
Skill writes persistent logs to ~/.local/share/regexr and can export them; this is expected for the tool but users should be aware of persistent storage of inputs. always:false and default autonomous invocation are used (normal).
Assessment
This skill appears coherent and does what it says: a local CLI regex helper that logs your activity to ~/.local/share/regexr. Before installing, consider: (1) Any patterns or sample text you pass (which may contain secrets, tokens, or PII) are saved unencrypted in that directory — avoid submitting sensitive strings or configure the script to use a non-persistent/data-dir you control. (2) The JSON export in the script is implemented naively (no escaping, and the final newline/closing bracket handling looks incorrect) and may produce malformed exports or leak raw values; review/patch the export code before sharing exported files. (3) If you need stronger privacy, run the script in a sandbox or modify it to avoid logging or to encrypt logs. Otherwise the skill is internally consistent and does not request unrelated credentials or network access.

Like a lobster shell, security has layers — review code before you run it.

latestvk97crav12565504tfhrbeeta39837kmw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments