ClawHub

Safe Skill Advisor

v1.7.0

Security Skill Advisor - Protect you from malicious skills on ClawHub. Provides security warnings, tool recommendations, and 30-second self-check checklist.

0· 348·2 current·2 all-time
by@crystaria
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, and content are consistent: the skill provides advice, checklists, and tool recommendations for assessing other skills. It does not request unrelated credentials, binaries, or config paths.
Instruction Scope
SKILL.md only gives guidance and shell commands for users to run (e.g., pip install cisco-ai-skill-scanner, cisco-scan, secureclaw scan, history, ps, netstat). It does not instruct the AI/agent to read hidden files, environment variables, or to exfiltrate data. Note: it recommends installing third-party scanners and running system commands — these are normal for a security advisor but carry the usual user-side risk (verify tools before running).
Install Mechanism
No install spec and no code files — instruction-only skill. Nothing is downloaded or written to disk by the skill itself (lowest install risk).
Credentials
No required environment variables, credentials, or config paths are declared or referenced. The skill's recommendations (scanners) may ask for their own credentials when used, but that is external to this skill and proportionate to its purpose.
Persistence & Privilege
always:false and disable-model-invocation:false (normal). The skill does not request persistent system presence or modify other skills or system-wide settings.
Assessment
This skill is advice-only and coherent with its purpose, but follow these precautions before acting on its recommendations: 1) Verify any external tools it recommends (visit the linked GitHub repos directly, check stars/commits and maintainer identity) before running pip install; 2) Never run curl | bash or execute unfamiliar downloaded archives — the skill itself warns against that; 3) Run third-party scanners in a sandbox or VM if possible to reduce risk; 4) Confirm the reporting email (security@clawhub.ai) is the legitimate ClawHub contact before sending sensitive evidence; 5) Remember this skill only gives guidance — actual risk comes from installing/running other tools or skills it recommends, so inspect those separately.

Like a lobster shell, security has layers — review code before you run it.

latestvk971s63h2gp52ykm5xkcb6pcbd840dt2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments