ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Thesaurus

v2.0.1

Look up synonyms, antonyms, and related words with history and export. Use when finding alternatives, checking usage, running drills, analyzing frequency.

0· 112·0 current·0 all-time
by@bytesagain3
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (thesaurus CLI that records and exports entries) align with the included shell script and SKILL.md. The script implements commands, local logging, stats, search, and export functionality consistent with the stated purpose.
Instruction Scope
SKILL.md and the script limit themselves to local file operations (creating ~/.local/share/thesaurus, writing/reading .log files, grep/tail/du/wc). There are no instructions to read unrelated system files or to transmit data externally. One minor note: SKILL.md invokes a 'thesaurus' command but provides no automated install; the repository includes scripts/script.sh which appears to be the CLI implementation and must be placed on PATH by the user.
Install Mechanism
There is no install spec (instruction-only), which is low-risk. However, a script file is included (scripts/script.sh). This is not an automatic downloader — it means a user must install or symlink the script to use the 'thesaurus' command. No remote downloads or extract operations are present in the packaged files.
Credentials
The skill requests no environment variables, no credentials, and uses only the HOME variable to place data under the user's home directory. That is proportionate for a local CLI data-tracking tool.
Persistence & Privilege
Skill is not marked always:true and does not request system-wide configuration changes. It stores data under the user's home directory only. Default autonomous invocation is allowed by platform policy but this skill's local-only behavior keeps blast radius low.
Assessment
This skill appears coherent and offline: it writes logs and exports to ~/.local/share/thesaurus and does not require credentials or network access. Before installing, review or run the provided scripts/script.sh locally (it must be installed or symlinked to 'thesaurus' to work). If you store sensitive text in the tool, remember exports are plain files under your home directory; back them up or delete them if needed. If you want extra assurance, open the full script to confirm there are no hidden network calls before making it executable or placing it on your PATH.

Like a lobster shell, security has layers — review code before you run it.

latestvk9706r407kr64tc9xft9gmx9md835ryh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments