ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Helm Chart Linter

v1.0.0

Lint and validate Helm charts for structure, security, dependencies, and best practices. Use when asked to lint, validate, check, or audit Helm charts, verif...

0· 40·0 current·0 all-time
by@charlie-morrison
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires wallet
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Helm chart linting) matches the provided SKILL.md and the included Python script which implements a YAML parser and sets up linting rules for charts. No extraneous capabilities are declared (no env vars, no required binaries, no install).
Instruction Scope
SKILL.md instructs the agent to run the included Python script against a specified chart directory (python3 scripts/helm_chart_linter.py <command> <chart-dir>). That scope is appropriate for linting and the visible code shows parsers and rule checks. However the script file was truncated in the bundle you provided, so I cannot verify there are no instructions or code paths that read unrelated files, access home directories, or transmit data.
Install Mechanism
No install spec is present (instruction-only + bundled script). This minimizes install-time risk — nothing is being downloaded or extracted at install time.
Credentials
The skill declares no required environment variables, credentials, or config paths, and SKILL.md doesn't request any. That is proportional for a local linter which should only need access to the chart directory.
Persistence & Privilege
always is false, user-invocable is true, and the skill does not request persistent system presence or to modify other skills. Autonomy is enabled by default for skills, which is expected here.
What to consider before installing
The skill appears coherent: it bundles a Python linter and SKILL.md that tell the agent to run the script on a chart directory, and it requests no external credentials or install steps. However the main script was truncated in the bundle you provided, so you should: 1) Inspect the entire scripts/helm_chart_linter.py before installing — search for network usage (urllib, http, socket, requests, subprocess with curl/ssh), code that reads outside the specified chart-dir (e.g., expands ~, reads /etc, ~/.ssh), or code that writes to unexpected locations. 2) Run the script in an isolated environment (container or VM) on sample charts first. 3) If you need higher assurance, ask the publisher for a full code review or for a provenance link (homepage or repository) and verify the binary/script hash. 4) Note STATUS.md mentions a price ($59) — confirm licensing and distribution expectations before use. If the rest of the script contains no outbound/network calls or reads of unrelated files, this skill is likely benign; discovery of network/exfiltration calls or requests for credentials would raise the assessment to malicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ctv0f7w2qpwg5xgkzvepdn184rgba

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments