ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Chen Vassili Clawhub Cli

v1.0.0

Help developers manage OpenClaw skills with the ClawHub CLI. Use when publishing, inspecting, installing, updating, syncing, or troubleshooting ClawHub skill...

0· 74·0 current·1 all-time
by@cs995279497-byte
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md provides exact clawhub CLI commands and workflows for publishing, inspecting, installing, updating, syncing, and troubleshooting skills — this aligns with the skill name and description. No unrelated binaries or capabilities are requested.
Instruction Scope
Instructions stay within the claimed scope (CLI commands, workdir behavior, SKILL.md placement, auth via clawhub). The document references CLAWHUB_WORKDIR and token-based login forms but does not instruct arbitrary file reads or exfiltration. It does instruct users to run local CLI commands which will access local files (expected for this purpose).
Install Mechanism
No install spec or code files are included — this is instruction-only, so nothing will be written to disk by the skill itself. That minimizes installer-related risk.
Credentials
The skill declares no required environment variables or credentials, which is appropriate. The doc references CLAWHUB_WORKDIR and command-line token login, so the CLI (not the skill) may use credentials; you should ensure you trust the clawhub CLI before supplying tokens. The absence of required secrets in registry metadata is proportional.
Persistence & Privilege
always is false and the skill is user-invocable only. There is no install or autonomous persistence requested by the skill itself.
What to consider before installing
The SKILL.md itself appears legitimate for a ClawHub CLI helper, but the package files contain conflicting metadata: _meta.json lists a different ownerId, slug, and version than the registry entry. That mismatch can indicate a packaging error or that the bundle has been republished under a different identity. Before installing or following commands: 1) Verify the publisher (ask for the canonical source or repository and confirm ownerId/slug); 2) Confirm the skill's provenance from the official ClawHub docs or organization; 3) Prefer running clawhub commands in an isolated/test workspace or sandbox; 4) Do not paste tokens or sensitive credentials until you confirm you are interacting with the official clawhub binary and a trusted package. If the publisher cannot explain the metadata discrepancy, treat the package as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk971vc132pmqbfvjfkmx5jmmsd83e8sd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦞 Clawdis
OSLinux · macOS · Windows

Comments