ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PaleBlueDot CLI

v1.0.1

Command-line tool for PaleBlueDot AI platform supporting login, API token management, usage and balance queries, and browsing available AI models.

0· 47·0 current·0 all-time
by@derekdong-star
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes a CLI for authentication, token management, usage queries, and model browsing — that matches the stated purpose. However, the SKILL.md metadata lists a required binary (pbd-cli) while the registry metadata reported no required binaries; this mismatch suggests the registry record and runtime instructions are not fully synchronized.
Instruction Scope
The instructions stay within the CLI's domain: they describe browser-based OAuth callback, a local HTTP server for the callback, manual cookie entry, token and usage commands, and local config storage. The skill does not instruct reading unrelated system files or grabbing arbitrary environment variables. The manual-login flow does ask the user to paste a session cookie (user-supplied data).
!
Install Mechanism
Although there is no formal install spec in the registry, the SKILL.md includes a One-click Install that pipes a script from raw.githubusercontent.com into bash (curl ... | bash) and installs to /usr/local/bin. Download-and-execute from a remote script is high-risk: while GitHub raw is a common host, piping to bash executes remote code without a local inspection step and can modify system paths. The SKILL.md does not show the install script contents or provide checksums or signed releases.
Credentials
The skill declares no required environment variables or primary credential, which aligns with a client CLI that performs interactive login. It will, however, store session tokens/config locally and manages API tokens — users should expect secrets (session cookies/API keys) to be written to local config. No unrelated credentials are requested.
Persistence & Privilege
always:false and normal autonomous invocation are set (no elevated platform privilege). The install instructions propose placing a binary in /usr/local/bin, which is a persistent, system-wide location and may require elevated permissions; the skill does not ask to modify other skills or system configs beyond installing its binary.
What to consider before installing
This skill appears to do what it claims, but exercise caution before installing. Do not blindly run the suggested curl | bash installer: inspect the install.sh contents and verify the GitHub repository and release artefacts (checksums/signatures) yourself. Prefer downloading an audited release or using a package manager if available. Be aware the CLI stores session cookies/API tokens locally (check the config path and file permissions). If you must use manual login, avoid pasting sensitive cookies into untrusted environments. If you want lower risk, ask the vendor for signed releases or a package that can be inspected before execution, or run the install inside a disposable VM/container.

Like a lobster shell, security has layers — review code before you run it.

latestvk9711mav36dv9pycgth04r85kx845x4w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments