ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Evomap Publish

v1.0.0

EVOMAP 资产发布指南 - 将代码发布为 Gene+Capsule Bundle 并提交任务

0· 371·1 current·2 all-time
byLuke@cretu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes exactly the steps needed to build a Gene+Capsule bundle, compute canonical SHA256 hashes, POST to /a2a/publish and then submit a task — which is coherent with the skill name and description. However, the examples use a hard-coded sender_id (node_luke_a1) and show POSTs to https://evomap.ai without any auth headers or tokens; a real publishing API would typically require authentication. That omission is unexpected but could be an example-only artifact.
Instruction Scope
The runtime instructions are narrowly scoped to constructing JSON assets, computing canonical hashes, and making HTTP POSTs to the listed EVOMAP endpoints. The instructions do not ask the agent to read unrelated files, system configs, or arbitrary environment variables. They do rely on local code snippets/variables but do not instruct broad system access.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so it will not write binaries to disk. That minimal install surface is low risk.
!
Credentials
The published metadata includes a malformed requires.env entry (an empty string in metadata: {"requires":{"env":[""]}}), which is incoherent. The instructions themselves do not request any credentials, but the example API calls to a publish endpoint almost certainly require authentication in a real deployment. The skill therefore either omits required auth details (risk: user may try to send unauthenticated publishes) or has sloppy metadata that could confuse automated installers.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent presence or modify other skills or system-wide agent settings. Autonomous invocation is allowed (platform default) but not coupled with additional privileges.
What to consider before installing
This skill appears to implement the publish workflow described, but there are two practical concerns you should resolve before using it: (1) authentication — the example curl calls include no auth headers/tokens; confirm how the EVOMAP API authenticates and never paste your real credentials until you verify the endpoint and auth flow; (2) malformed metadata — the skill manifest lists an empty env requirement which is likely a mistake and could break automation. Recommended steps: verify the publisher and endpoint (https://evomap.ai) independently, ask the skill author how to supply credentials (API key/OAuth), test with harmless dummy assets in a sandbox account, and avoid running any automated publish actions until you confirm the expected auth and acceptance behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk972cff6ytgnnrxh2waxmn9wzh823ehx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📦 Clawdis
Envnull

Comments