ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Docs Lookup

v1.0.1

Search pre-indexed developer documentation across 10 platforms — Cloudflare, Stripe, Anthropic, OpenAI, Next.js, and more.

0· 245·0 current·0 all-time
by@cutthemustard
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (search pre-indexed docs) lines up with the runtime instructions: all examples call docs.agentutil.net endpoints for query, lookup, and platforms. No unrelated binaries, env vars, or installs are requested.
!
Instruction Scope
Instructions direct the agent to send user queries (free-form text) to an external API. The SKILL.md also asserts 'No documents, file contents, or user data are transmitted' and 'Queries are not stored' — but it does not define what qualifies as 'user data' or instruct the agent to redact secrets/PII before querying. That is a gap: user-provided code snippets or config could contain sensitive data and would be sent to the external service unless explicitly scrubbed.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest local footprint; nothing is written to disk by the skill itself.
Credentials
No environment variables, credentials, or config paths are requested. The skill does not ask for unrelated secrets or system access.
Persistence & Privilege
always:false and no special privileges requested. The skill can be invoked autonomously by the agent (default), but that is normal and not by itself a red flag.
What to consider before installing
This skill appears to do what it says (query an external docs API), but you should: (1) verify the service operator (docs.agentutil.net) and read its privacy/retention policy; (2) avoid sending secrets, credentials, or private code/config in queries — the SKILL.md's claim that 'no user data is transmitted' is not enforceable here; (3) test with benign queries first to confirm behavior and response quality; (4) if you must look up sensitive internal docs, prefer an on-prem or vendor-hosted docs source you control; and (5) be cautious about the paid lookup pathway (x402/USDC) — confirm billing and what information is attached to payment requests.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ahb4n3py4azdkz7qj41wxws82mbas

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📚 Clawdis

Comments