ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Banks

v0.1.0

Find nearby banks. Invoke when user asks for bank branches near me.

0· 70·0 current·0 all-time
by@clawkk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description and the SKILL.md all describe a simple 'nearby banks' POI lookup — this is coherent. However, the SKILL.md references a response schema file via a local file:// path (STANDARD_RESPONSE.md) that is not bundled with the skill, which suggests a missing dependency or implicit expectation of local project files.
!
Instruction Scope
Instructions define inputs, outputs, error codes, and privacy guidance and stay within the declared purpose. But they mention a data provider (PROVIDER_UNAVAILABLE) and rate limiting without specifying which external API to call, endpoints, or required credentials. The reference to a local file path (file:///Users/...) for STANDARD_RESPONSE.md is outside the skill bundle and would require the agent to access local filesystem paths not included in the skill.
Install Mechanism
No install spec and no code files — lowest-risk delivery model. The skill is instruction-only, so nothing is written to disk by an installer.
!
Credentials
The skill declares no required environment variables or credentials, yet it implies querying an external provider for POI data. A provider API typically requires credentials or an endpoint; the absence of any declared env vars or primary credential is a mismatch and may hide implicit requirements.
Persistence & Privilege
always is false and the skill has no install-time hooks or config changes. It does not request persistent privileges or modify other skills' settings.
Scan Findings in Context
[no_code_files] expected: The skill is instruction-only so the regex scanner had no code to analyze — this is expected. Because of that, the SKILL.md is the primary surface for security review.
What to consider before installing
This skill appears to be a straightforward 'nearby banks' lookup, but it leaves out important operational details. Before installing or enabling it, ask the publisher: (1) Which data provider or API will the skill call to get bank locations? (2) Will it require API keys or endpoints, and if so where/how should those credentials be supplied and stored? (3) Provide or bundle the STANDARD_RESPONSE.md schema (or an accessible URL) so you know exactly what the skill will return. Also confirm the privacy controls: ensure it will only query after explicit user location consent and that precise coordinates are not logged or exfiltrated to unknown endpoints. If the author cannot clarify these points, treat the skill as incomplete/suspicious and avoid granting it access to real location data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cn963p5m012t2fx3d2jpw3d83eqaq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments