ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Contact Card

v0.1.0

Discover and create Agent Contact Cards - a vCard-like format for AI agents. Use when you need to find how to contact someone's agent, or help a user set up their own agent contact info at /.well-known/agent-card.

0· 2k·2 current·2 all-time
by@davedean
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (agent contact discovery/creation) match the contents of SKILL.md and the supplemental spec/examples. The skill is purely a format/spec and discovery guide and does not request unrelated binaries, environment variables, or credentials.
Instruction Scope
The instructions tell agents to fetch /.well-known/agent-card, parse YAML frontmatter, read prose for routing, and (for testing) POST to webhook endpoints discovered in cards. This is expected for a contact/discovery spec, but note that following these instructions causes network requests and could send content to external webhooks if executed.
Install Mechanism
No install spec and no code files — the skill is instruction-only, so nothing is written to disk or installed during activation.
Credentials
The skill declares no required environment variables, credentials, or config paths. The spec mentions how cards may reference auth tokens or public keys, but the skill itself does not demand secrets from the environment.
Persistence & Privilege
The skill does not request persistent privileges (always:false). It does not attempt to modify other skills or system configs and does not require being force-included.
Assessment
This skill is a harmless format/spec for publishing agent contact information. Before installing or using it, be aware that: (1) following the instructions will cause the agent to make outbound network requests (fetching /.well-known/agent-card on domains and optionally POSTing to webhook URLs); avoid having the agent send sensitive data to unknown endpoints. (2) If you host an agent-card, do not place secrets (API tokens, private keys, passwords) directly in the card; use documented auth mechanisms (signed messages, short-lived tokens) and advertise how to authenticate rather than embedding secrets. (3) When testing webhooks, use controlled/test endpoints you trust. Otherwise, the skill is internally consistent with its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk977cwdpn7t5f7m0qeyyvps10s808mkn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments