ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Data Ground Truth

v1.0.1

Before presenting numbers in reports or recommendations, verify facts and check values against industry baselines.

0· 259·0 current·0 all-time
by@cutthemustard
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the runtime instructions: the skill verifies factual claims and benchmarks metrics by calling external verify/norm APIs. It does not request unrelated binaries, credentials, or config paths.
!
Instruction Scope
Instructions explicitly send natural-language claims and numeric metrics to external endpoints (verify.agentutil.net, norm.agentutil.net). The SKILL.md asserts 'No documents, user data, or file contents are transmitted', but there is no guidance to sanitize or obtain consent before sending claims extracted from user documents or datasets. That gap could lead the agent to exfiltrate sensitive or personally identifiable information inadvertently.
Install Mechanism
Instruction-only skill with no install spec or code files; nothing is written to disk and no external packages are pulled by the skill itself.
Credentials
The skill requests no environment variables or credentials (free tiers reportedly require none), which is proportionate. However it documents paid usage via 'x402' (USDC on Base) and uses remote APIs — network access allows data to leave the agent even without credentials, so lack of required env vars does not eliminate data‑leak risk.
Persistence & Privilege
always is false and the skill has no install hooks or claims to modify other skills or agent config. It is user-invocable and can be called autonomously by the agent (platform default), which is expected.
Scan Findings in Context
[no_scan_findings] expected: Regex scanner had no code files to analyze; this is an instruction-only skill so absence of findings is expected but gives no assurance about external API behavior.
What to consider before installing
This skill is coherent with its purpose but sends user-supplied claims and metric values to third-party APIs. Before installing or enabling it: 1) Confirm the vendor (agentutil.net) and review their privacy/data-retention policy. 2) Require explicit user consent before sending any numbers or claims derived from documents or datasets. 3) Sanitize/strip PII and only send minimal, necessary fields (e.g., metric name + value + category). 4) Test with non-sensitive dummy data and monitor outgoing network requests. 5) Be aware of pay-as-you-go costs and caching behavior (claims cached up to 1 hour). If you cannot guarantee that transmitted claims will never include sensitive information, treat this skill as higher risk or avoid using it.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eetf8a1ympq913x039extah82n33y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis

Comments