ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sku

v1.0.0

SKU management reference — naming conventions, hierarchy design, lifecycle management, and inventory classification. Use when designing product catalogs, cre...

0· 70·0 current·0 all-time
by@bytesagain3
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description describe SKU guidance and product-catalog design; the skill only requires running a bundled shell script that outputs those topics. No unrelated credentials, binaries, or installs are requested, which aligns with the stated purpose.
Instruction Scope
SKILL.md instructs the agent to execute scripts/script.sh with subcommands (intro, naming, hierarchy, etc.). The visible portion of script.sh simply prints reference text (safe). However the provided file content is truncated in the review, so it's not possible to guarantee there are no additional commands (network calls, file I/O, or other operations) elsewhere in the script. Running a local script is reasonable for this skill, but execution grants the script the agent runtime's filesystem/network rights.
Install Mechanism
No install specification and no external downloads; this is instruction-only plus a bundled script. That is low-risk compared to remote installs.
Credentials
The skill declares no required environment variables, credentials, or config paths. SKILL.md mentions a SKU_DIR (~/.sku/) default for data, which is proportional for a reference tool but should be checked to ensure it isn't used to access other locations.
Persistence & Privilege
always is false and the skill does not request permanent presence or elevated platform privileges. Autonomous invocation is permitted by default (platform behavior) — combine that with the ability to run local shell scripts only if you trust the code.
What to consider before installing
This skill looks coherent with its purpose and most of the visible script just prints documentation, but the provided script content was truncated in the review — do not assume safety until you inspect the entire scripts/script.sh. Before installing: (1) open and read the full scripts/script.sh to confirm there are no curl/wget/ssh/netcat calls, no exec of downloaded code, and no writes to sensitive paths or reads of secrets (e.g., ~/.ssh, ~/.aws); (2) confirm SKU_DIR is not set to an important system path and that the script does not overwrite files unexpectedly; (3) if you cannot review, run the skill in an isolated/sandboxed environment or deny autonomous execution. If the full script contains only the documented printouts, the skill is benign; if it contains network or file-manipulating commands, treat it as risky.

Like a lobster shell, security has layers — review code before you run it.

latestvk975sxavgkzrmqe5zjabd9q8gd83b7x8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments