Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Free Resource
v0.1.0Search and retrieve royalty-free media from Pixabay (images/videos), Freesound (audio effects), and Jamendo (music/BGM). Use when the user needs to find stoc...
⭐ 0· 379·0 current·0 all-time
bynoah@darknoah
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description (Pixabay, Freesound, Jamendo search/download) align with the included scripts: pixabay.ts, freesound.ts, jamendo.ts implement the described functionality. However the declared registry metadata states no required environment variables or binaries, while both SKILL.md and the scripts require API credentials and expect the Bun runtime. This mismatch (missing declared runtime and credentials) is an inconsistency.
Instruction Scope
SKILL.md and the CLI help text instruct the agent/user to provide API keys (via CLI flags, env vars, or a local config.json) and to run the bundled scripts. The instructions are scoped to the stated purpose and do not try to read unrelated system files or contact unexpected endpoints — the code only calls the official Pixabay, Freesound, and Jamendo APIs and writes results/downloads to disk as expected.
Install Mechanism
There is no install spec (instruction-only), which is low risk. The code files are included and intended to be run with Bun, but the manifest does not declare Bun as a required binary. This omission is a practical/information risk (user may not have Bun) rather than a supply-chain red flag; the scripts themselves do not download or execute unknown remote code.
Credentials
The registry metadata lists no required env vars or primary credential, yet SKILL.md and the scripts use three credential sources: PIXABAY_API_KEY, FREESOUND_API_TOKEN, JAMENDO_CLIENT_ID (also reading/writing a local config.json). Requesting those specific API keys is proportionate for this skill, but the metadata omission is an inconsistency and increases the chance a user will accidentally expose credentials (e.g., committing config.json).
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and performs only local file reads/writes (config.json, optional output files). It uses network access to known APIs for its stated purpose. No elevated persistence or cross-skill config changes are present.
What to consider before installing
This skill appears to implement what it claims, but there are two practical inconsistencies you should confirm before installing or running it:
- Runtime requirement: The scripts use the Bun runtime (#!/usr/bin/env bun and bun ./scripts/...). The package metadata does not declare Bun as a required binary. Install Bun or run equivalent Node/ts tooling only after verifying compatibility.
- Credentials & config: The metadata lists no required env vars, but the SKILL.md and scripts expect three API credentials (PIXABAY_API_KEY, FREESOUND_API_TOKEN, JAMENDO_CLIENT_ID) or a local config.json. Do NOT store API keys in a repo or commit config.json. Prefer setting environment variables and verify the source of the skill and trustworthiness of the author before providing keys.
Additional suggestions:
- Review the included TypeScript sources (they are present and readable) to confirm no hidden/obfuscated network endpoints; the code only references the official API base URLs.
- Run the scripts in a sandboxed environment or container first, and avoid providing high-privilege or long-lived credentials until you're comfortable.
- If you plan to use this as an automated/always-invoked skill, ensure the platform's autonomous invocation and network policies are acceptable — autonomous access combined with credentials increases risk.
If you want, I can extract the exact lines where env vars/config are read and where Bun is required so you can audit them quickly.Like a lobster shell, security has layers — review code before you run it.
latestvk97fq8fargsche9cshezr6bd2s826hd0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.