ClawHub
Skill flagged โ€” suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

๐Ÿฆ„ Unicon CLI

v0.2.0

Add and manage 19,000+ icons from 9 libraries in React, Vue, Svelte, or web projects using the Unicon CLI for search, bundles, previews, and tree-shakable co...

โญ 2ยท 655ยท1 currentยท1 all-time
by@charlesrhoward
MIT-0
Download zip
LicenseMIT-0 ยท Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report โ†’
OpenClawOpenClaw
Benign
high confidence
โœ“
Purpose & Capability
Name/description describe a CLI for searching, bundling, and generating icon components. The only required binary is node and the install spec is the @webrenew/unicon npm package โ€” both are proportionate and expected for this purpose.
โ„น
Instruction Scope
SKILL.md instructs the agent to read project files (package.json for framework detection) and to create/manage `.uniconrc.json` and icon output directories. It also documents a `unicon skill` command that writes assistant skill files into various IDE/assistant directories if run. Those file reads/writes are consistent with the stated functionality but are actions that will modify the user's project and may create files in multiple assistant-related folders if the user invokes the skill installer.
โœ“
Install Mechanism
Install spec uses the npm package @webrenew/unicon (global install). This is a standard, traceable package installation mechanism; there are no direct-download URLs, extract operations, or obscure hosts in the install instructions.
โœ“
Credentials
The skill declares no required environment variables or credentials. The references mention optional vars (UNICON_API_URL, UNICON_CACHE_DIR, UNICON_NO_CACHE) which are reasonable for configuring a CLI that talks to an API and manages a cache. No unrelated secrets are requested.
โ„น
Persistence & Privilege
The skill is not marked always:true and allows normal autonomous invocation. The documented `unicon skill --ide/--all` feature can write files into many assistant/IDE directories; this is consistent with a command that installs helper files but is an operation the user should be aware of before running.
Assessment
This skill appears to do exactly what it says: it requires node and installs the @webrenew/unicon npm CLI which will read package.json, create/modify `.uniconrc.json`, and generate icon component files in your project. If you plan to install it globally, consider: (1) prefer using npx or a local devDependency if you don't want a global binary; (2) review the package source on npm/github (https://github.com/WebRenew/unicon and https://unicon.sh) before installing to confirm behavior; (3) be aware that running `unicon skill --all` or similar will write assistant/IDE files into many directories โ€” run that only if you intend it; (4) no credentials are required, but you may want to audit the generated files produced in your repo and CI. Overall there are no incoherent or disproportionate requests in the skill materials.

Like a lobster shell, security has layers โ€” review code before you run it.

latestvk97cvh9anh3ae7e4m2z7mdj105815m5n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

๐Ÿฆ„ Clawdis
Binsnode

Install

Nodenpm i -g @webrenew/unicon

Comments