ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

API Health Check

v1.0.0

Check the health and status of popular AI APIs and services — OpenAI, Anthropic, Pollinations, OpenRouter, Gemini, and more. Use when the user wants to know...

0· 49·1 current·1 all-time
byCJ Hauser@cloudcompile
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the included script and behavior: it contacts known AI API endpoints and reports HTTP status and latency. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md limits runtime behavior to issuing HTTP HEAD/GET checks and summarizing results. The script itself performs only network requests and prints output (no file reads/writes, no env var access). However, SKILL.md mentions HEAD/GET while the script uses only HEAD; some endpoints may not respond correctly to HEAD. The script also disables TLS verification (see below), which is outside the stated 'lightweight' health-check necessity.
Install Mechanism
Instruction-only with a small Python script, no install spec and no external downloads — low install risk.
Credentials
The skill requests no environment variables or credentials. Its network access to the listed API hostnames is proportionate to its stated purpose.
Persistence & Privilege
No elevated persistence requested (always:false). The skill does not modify agent/system configuration or require permanent presence.
Scan Findings in Context
[insecure-ssl-disable] unexpected: The script explicitly disables TLS certificate verification (ctx.check_hostname = False; ctx.verify_mode = ssl.CERT_NONE). Disabling certificate validation is unnecessary for a health-check utility contacting public APIs and exposes the tool to man-in-the-middle (MITM) attacks. This is not expected for a benign health-check and is the primary security concern.
What to consider before installing
This skill appears to do what it says—query public AI API endpoints and report status—but it disables SSL certificate verification in the Python script, which is unsafe: an attacker on your network could spoof API responses and cause misleading results or leak information. Recommended steps before installing or running: (1) Inspect or run the script in a network-isolated environment; (2) remove the lines that set ctx.check_hostname = False and ctx.verify_mode = ssl.CERT_NONE so the default certificate validation is used; (3) consider changing the request to a GET when HEAD is unsupported, or add fallback logic, and add retries/backoff; (4) prefer using a well-maintained HTTP library (requests) with verify=True and clearer error handling; (5) if you can't review or modify the code, run it only on trusted networks or avoid using it. Given the TLS bypass, treat this as suspicious until that issue is fixed.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cpg5yrc5tnt983kp8h1gg8x846ehb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments