ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Unitconv

v3.0.0

Convert units for length, weight, temperature, data, and speed. Use when switching measurement systems, sizing storage, or adjusting recipe quantities.

0· 261·0 current·0 all-time
bybytesagain4@xueyetianya
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (unit conversion) match the included script and SKILL.md. The script implements conversions for the listed unit categories with no unrelated functionality.
Instruction Scope
SKILL.md describes running a `unitconv` command and states it uses awk for math; the included scripts/script.sh implements the functionality and calls awk. There is a minor operational inconsistency: SKILL.md examples call `unitconv` but no install steps are provided to place scripts/script.sh on PATH as `unitconv`. This is an operational/usability note rather than a security concern.
Install Mechanism
No install spec is provided (instruction-only) and the single script is readable; nothing is downloaded or extracted from external URLs. This is low-risk from an installation perspective.
Credentials
The skill requests no environment variables, credentials, or config paths. The script reads only its CLI arguments and uses awk; no sensitive environment access is attempted.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not modify system or other skill configurations. It does not require elevated privileges.
Assessment
This skill appears to be a straightforward unit converter with no network calls or credential usage. Before installing, verify how the script will be invoked in your agent environment (SKILL.md expects a `unitconv` command but the repository provides scripts/script.sh), and confirm the platform will place or wrap that script on PATH or otherwise call it safely in a sandbox. If you want extra assurance, open and review scripts/script.sh (already included) — it contains only simple arithmetic and unit mappings. There are no obvious signs of exfiltration or unrelated capabilities.

Like a lobster shell, security has layers — review code before you run it.

latestvk979crdshjw8aetdb2tn8paz7x837h0s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments