ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ClawHub Web Only Publish

v1.0.0

Publish skills to ClawHub via web dashboard only. No CLI login, no device flow. Reuse existing browser session.

0· 364·0 current·0 all-time
by@dalomeve
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim web-only publishing and the SKILL.md contains step-by-step browser upload instructions. No unexpected binaries, env vars, or permissions are requested; required actions align with the stated purpose.
Instruction Scope
Instructions are mostly limited to interacting with clawhub.ai via a browser and optionally running `clawhub publish` if an existing CLI token is present. One minor ambiguity: the execution criteria include 'No `clawhub login` in history' which could be interpreted as requiring a check of shell history (a privacy-sensitive action). The SKILL.md does not explicitly instruct reading system files, but the criteria are vague and could encourage agents to inspect local history or config files.
Install Mechanism
Instruction-only skill; no install steps, downloads, or extracted archives. Lowest-risk installation profile.
Credentials
The skill declares no environment variables or credentials, which is appropriate for a web-dashboard workflow. However, the fallback relies on an existing CLI token (not declared or explained where it is stored), which is reasonable but under-specified — the SKILL.md does not state where the token lives or how to access it safely.
Persistence & Privilege
No persistent installation, always:false, and no modifications to other skills or system-wide settings are requested.
Assessment
This skill is coherent with its stated purpose (manual web upload to ClawHub). Before using it: 1) Ensure your browser session on https://clawhub.ai is legitimate and not a shared account. 2) Do not upload files containing API keys, tokens, or secrets — the SKILL.md advises scanning but you should confirm manually. 3) Be cautious about the fallback: if you use `clawhub publish` it will rely on an existing CLI token — verify where that token is stored (CLI config or environment) and avoid granting the agent blanket read access to config or shell history. 4) If you want the agent to perform the publish automatically, explicitly limit which local files it may read; otherwise perform the browser steps yourself. If you want greater assurance, ask the skill author to clarify how the CLI token is obtained and to remove or clarify the 'history' verification criterion.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c1wnvs9zgmg65bv6dndgdsn823cg5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments