ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

dat-test-skill

v1.0.0

ByteRover usage metrics report. Runs the metrics script to summarise query and curate activity — counts, durations, file changes, and quota errors. Accepts o...

0· 20·0 current·0 all-time
by@datpham-6996
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The SKILL.md, name/description, and included metrics.ts align: the script calls the local 'brv' CLI (configurable via BRV_CMD) to collect query and curate logs and summarize counts, durations, and quota errors. There are no declared env vars, binaries, or install steps unrelated to gathering ByteRover metrics.
Instruction Scope
Instructions require running metrics.ts (e.g., via 'npx tsx metrics.ts') and to run once per project directory. The script executes the external 'brv' CLI in the given working directory and parses its JSON output. This is within scope for a metrics reporter, but running the CLI means the skill will cause whatever the 'brv' binary does (file access inside the project, network calls from the CLI) — the skill itself does not add extra data collection beyond invoking brv and printing summaries.
Install Mechanism
No install spec or external downloads are present; the package is instruction-only with a bundled metrics.ts. Running requires 'npx' and 'tsx' (per the examples) but the skill does not perform any network installs itself.
Credentials
The skill declares no required credentials. It does honor BRV_CMD and BRV_SINCE if set. Be aware that the local 'brv' CLI may rely on separate configuration or credentials stored on the host — these are not requested by the skill but will be used if present. That is expected for a tool that calls a local CLI, but users should confirm the 'brv' CLI is trusted.
Persistence & Privilege
The skill does not request persistent presence (always is false) and does not modify system or other skills' configuration. It runs ad hoc when invoked.
Assessment
This skill simply runs your local 'brv' CLI in the project directories you provide and summarizes the JSON it returns. Before installing or enabling it: (1) Inspect metrics.ts (already included) to confirm output meets your needs — it uses child_process.execSync to call 'brv'. (2) Ensure the 'brv' binary you have on PATH (or the path you set in BRV_CMD) is trustworthy and configured appropriately, since it will run in the project cwd and could access project files or make network calls. (3) Test the script locally on a non-sensitive project and with BRV_CMD pointing to a known binary. (4) If you plan to let agents invoke the skill autonomously, remember the skill will run the 'brv' CLI with whatever permissions that CLI has; only enable autonomous use if you trust both the skill and your 'brv' installation.
metrics.ts:67
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9795zagv2zyca1vadrf8391ch851407

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments