Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
SKILL.md describes a Ship Position feature that calls HiFleet's position API and parses AIS/location fields — this aligns with the skill name and description. However, the registry metadata lists no required credentials while the SKILL.md explicitly requires a 'usertoken' (HIFLEET_USER_TOKEN / HIFLEET_USERTOKEN). That mismatch is unexpected and weakens trust.
Instruction Scope
The instructions are narrowly scoped: validate MMSI input, ensure a token is present, and perform a GET to https://api.hifleet.com/position/position/get/token with mmsi+usertoken, then parse results. The document does reference environment variables and project config as token sources; it does not instruct reading unrelated files or exfiltrating arbitrary data.
Install Mechanism
This is an instruction-only skill with no install spec and no bundled code files — the lowest-risk install mechanism. There is no download or package installation step.
Credentials
The skill requires a HiFleet 'usertoken' to call the API (reasonable and proportionate), but the registry metadata does not declare this required environment variable or primary credential. That omission could be a packaging mistake or indicate incomplete disclosure about where/how the token will be read/stored.
Persistence & Privilege
The skill does not request always: true, does not include installation scripts, and has no code that would persist or modify other skills or system configuration. Autonomous invocation is allowed (platform default) but not combined with other concerning privileges.
What to consider before installing
The skill's behavior (calling HiFleet's position API) is consistent with its purpose, but the registry metadata fails to declare the required API token. Before installing, ask the publisher to: 1) explicitly declare required env vars (HIFLEET_USER_TOKEN / HIFLEET_USERTOKEN) in the registry metadata and primary credential fields; 2) document how the token is supplied and stored (environment variable vs platform secret store) and any retention; 3) confirm the api.hifleet.com endpoint is official and trustworthy. Do not provide high-privilege or unrelated credentials. If you must test, supply a limited-scope or read-only token and monitor network calls; prefer installing only after the developer fixes the metadata and provides a privacy/security note.Like a lobster shell, security has layers — review code before you run it.
latestvk97ca5b37caynbwexe0fs0nzad8305z3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.