ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

My Skill ClawHub Skill

v1.0.0

Standardizes skill publishing with required versions and changelogs, and allows verified installation with optional versioning for ClawHub skills.

0· 64·0 current·0 all-time
by@canonxu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description match its behavior: it standardizes publish/install workflows by wrapping the clawhub CLI. However, the script invokes the 'clawhub' binary at runtime but the skill metadata does not declare any required binaries — an incoherence that could lead to runtime failures or hidden dependencies.
Instruction Scope
SKILL.md and the included script limit actions to publishing, searching, and installing via the clawhub CLI. The script does not read arbitrary system files or environment variables beyond its arguments, nor does it contain obfuscated or exfiltratory code.
Install Mechanism
There is no install spec and the skill is instruction-only with one helper script. The script is small, plain shell, and does not download or extract remote artifacts itself. This is low-risk provided the clawhub CLI it calls is trusted.
Credentials
The skill does not request environment variables, credentials, or config paths. Note: real-world use of the clawhub CLI may rely on credentials/config stored elsewhere (not declared by this skill), which the evaluator should confirm separately.
Persistence & Privilege
The skill is not always-enabled and uses the platform defaults for invocation. It does not modify other skills or system-wide settings.
What to consider before installing
This skill is a simple wrapper that calls the external 'clawhub' command to publish or install skills. Before installing: (1) confirm you have the official clawhub CLI installed and working — the skill metadata should have declared that binary but does not; (2) understand that clawhub operations will contact remote ClawHub services and may use whatever credentials/config your environment already provides (check your clawhub auth tokens); (3) be careful what path you pass to 'publish' — it will publish the directory you point it at, so don't accidentally publish sensitive files; (4) verify you trust the source of this skill (homepage/source are missing) because the wrapper delegates network activity to clawhub; and (5) consider asking the publisher to add 'clawhub' to required binaries in the metadata and to document any required clawhub configuration so the dependency is explicit.

Like a lobster shell, security has layers — review code before you run it.

latestvk97epd2jsf2y6va5hs4ajx4ry983b072

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments