ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Split

v1.0.0

Data splitting techniques and strategies reference — partitioning datasets, string splitting, file splitting, and ML train/test splits. Use when dividing dat...

0· 74·1 current·1 all-time
by@bytesagain1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included files: the SKILL.md is a data-splitting reference and scripts/script.sh implements command handlers that only print documentation. The requested capabilities (none) are proportionate to the purpose.
Instruction Scope
Runtime instructions simply invoke scripts/script.sh with subcommands (intro, string, file, dataset, etc.). The script functions shown print documentation to stdout and do not access external networks or credentials. SKILL.md declares a SPLIT_DIR config (~/.split/) that is not referenced in the script — small scope mismatch. Also the SKILL.md contains detected unicode control characters (prompt-injection pattern) that warrant inspection.
Install Mechanism
No install spec is present (instruction-only with an included local script). Nothing is downloaded or extracted from the network during install.
Credentials
The skill requests no environment variables, credentials, or config paths. The only configuration table entry (SPLIT_DIR) is informational and not required by the shipped script.
Persistence & Privilege
always is false and the skill does not request elevated or persistent system presence. It does not modify other skills or system-wide settings.
Scan Findings in Context
[unicode-control-chars] unexpected: The static scan flagged unicode control characters inside SKILL.md which can be used to obfuscate or manipulate prompts. The visible content appears benign, but these characters should be inspected in the raw file to ensure there's no hidden instruction or malicious manipulation.
What to consider before installing
This skill appears to be a local reference/CLI that prints documentation and doesn't require credentials or network access, so its direct risk is low. However: 1) Inspect the raw SKILL.md for invisible unicode control characters (the scanner flagged them) — remove or decode them if present. 2) Review scripts/script.sh locally to confirm it only prints docs (no curl, wget, netcat, or eval of remote content). 3) If you plan to run it, do so in a sandboxed environment first. 4) Note the SPLIT_DIR config is declared but not used; ask the author or check the script if you expect it to read/write files in that directory. If these checks are clean, the skill is likely safe to use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dwm06r9mnc1djhmrf98xn0x83bt9f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments