ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Popover

v1.0.0

Generate popover UI elements and design assets. Use when building interfaces, creating visual components, or styling web pages.

0· 61·0 current·0 all-time
by@bytesagain3
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description promise a tool to generate popover UI elements and design assets, but the only executable code (scripts/script.sh) implements a local CRUD-style entry manager that reads/writes JSONL and a config file under $HOME/.popover (or $POPOVER_DIR). There is no code to generate UI, assets, CSS/HTML, or interact with design tooling/APIs — this is a functional mismatch.
Instruction Scope
SKILL.md instructs the agent to run scripts/script.sh with commands (status, add, list, search, remove, export, stats, config). Those commands operate only on a local data directory (default ~/.popover). The instructions do not perform network I/O or read other system-wide secrets, and they respect the declared optional POPOVER_DIR config, so runtime scope is limited and explicit.
Install Mechanism
There is no install spec (instruction-only). The only code is a bundled shell script that will run from the skill bundle; nothing downloads remote archives or installs third-party packages during install.
Credentials
The skill declares no required environment variables or credentials. The script respects an optional POPOVER_DIR environment variable (documented in SKILL.md) which controls where it reads/writes data. While that is reasonable for a storage tool, allowing POPOVER_DIR to be set to arbitrary paths could cause the script to write outside the user home directory if misconfigured — be cautious about pointing it at sensitive system locations.
Persistence & Privilege
The skill does not request 'always' presence and uses normal autonomous-invocation defaults. It only writes to its own data directory and config file; it does not modify other skills or system-wide agent configuration.
What to consider before installing
This skill's description promises a popover/UI asset generator, but the shipped script is just a local CLI for storing and managing textual entries (data.jsonl and config.txt under ~/.popover by default). If you expected a UI/asset generator, do not install expecting that functionality. If you still want to use it as a local snippet/entry manager, it's coherent and low-risk: it doesn't contact the network or require credentials. Before installing, consider: 1) confirm with the author whether the description is incorrect or the intended UI-generator code is missing; 2) run the script in a sandbox or test account to verify behavior; 3) avoid setting POPOVER_DIR to sensitive system paths; and 4) if you need real UI/asset generation, find a skill whose code actually creates HTML/CSS/graphics or integrates with design tools/APIs.

Like a lobster shell, security has layers — review code before you run it.

latestvk973yfc4z64p5zfh79kpefkek983b3fv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments