ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Text Transform

v1.0.1

Text transformation, regex, diff, format conversion, and JSON manipulation.

0· 397·1 current·1 all-time
by@cutthemustard
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (text transforms, regex, diff, format conversion, JSON operations) align with the provided curl endpoints and operations. No unrelated binaries, env vars, or installs are requested.
Instruction Scope
Runtime instructions explicitly send input to https://text.agentutil.net for transformations and instruct the agent to ask for user permission before sending user-provided content. That scope is appropriate for the stated purpose, but the instructions rely entirely on an external API and assert privacy guarantees (stateless/no retention) that cannot be verified from the SKILL.md. Sending any non-agent-generated text to an external endpoint risks exposing private data; the skill attempts to mitigate this by requiring explicit consent, but the underlying privacy claim remains unvalidated.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk by the skill itself.
Credentials
Skill requests no environment variables, credentials, or config paths. The paid tier and payment mechanism are mentioned but no credentials or keys are required by the skill as delivered.
Persistence & Privilege
always:false and no persistent installation behavior. The skill does not request elevated agent privileges or modify other skills/configuration.
What to consider before installing
This skill legitimately performs text transforms but does so by sending text to an external domain (text.agentutil.net). Before installing or using it: (1) Do not send any sensitive, private, or confidential text to the skill unless you explicitly consent after understanding the risk. (2) Verify the operator and privacy policy of text.agentutil.net — the SKILL.md's claim that data is not retained cannot be verified from the manifest. (3) Prefer local transformations (built-in regex or local libraries) when handling private data. (4) Test with non-sensitive dummy data first to confirm behavior. (5) If you must process private documents, ask the skill author for an audited on-prem/local implementation or an explicit, verifiable data-retention/privacy statement. These precautions will reduce the risk of unintended data exposure.

Like a lobster shell, security has layers — review code before you run it.

latestvk974nbrxbhbr0df594v4kthhws82920w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📝 Clawdis

Comments