Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Validator

v3.0.1

Validate emails, URLs, phones, dates, and custom patterns. Use when sanitizing input, verifying form fields, checking formats, or enforcing rules.

⭐ 0· 193·0 current·0 all-time

bybytesagain4@xueyetianya

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description (validate emails/URLs/phones/dates/patterns) match the shipped script and SKILL.md. Required tools listed (python3, curl, dig) are used by the script for JSON/YAML/csv parsing and optional network/DNS checks.

ℹ

Instruction Scope

The SKILL.md commands map directly to functions in scripts/script.sh. The script reads user-specified files (json/yaml/csv) and may perform network actions (curl for URL HTTP status, dig for DNS) when those binaries are present — expected for this tool, but worth noting because these actions contact external hosts and the tool will read any file path you supply.

✓

Install Mechanism

Instruction-only skill with a bundled shell script; there is no install step, no external downloads, and no archive extraction. Nothing is written to disk beyond running the provided script.

ℹ

Credentials

The skill declares no required environment variables and does not request credentials. Internally it sets temporary env vars (e.g., FILE, NUM) for local subprocesses. It can process sensitive inputs (credit card numbers, files) supplied by the user — treat those inputs as sensitive when using the tool.

✓

Persistence & Privilege

Does not request persistent presence (always:false), does not modify other skills or system config, and does not store credentials. Agent autonomous invocation default is unchanged.

Assessment

This skill appears to do what it says: local validation plus optional network/DNS lookups. Before using it: (1) review or run the script locally from a trusted environment; (2) avoid passing real production secrets (full credit-card numbers, private files) unless you trust the runtime, because the tool will read and process whatever file or string you provide; (3) be aware that URL/domain commands will make outbound requests if curl/dig are available (which could reveal that you checked that host); (4) YAML validation attempts to import PyYAML if present — otherwise a basic fallback is used. If those behaviors are acceptable, the skill is internally coherent.

Like a lobster shell, security has layers — review code before you run it.

latestvk977q3xzag9fyj79t0904bb7y1836cp1

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Validator

License

Comments