ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GetPost AI and LLM Gateway

v1.0.0

Access 24+ LLM chat models and 16+ image/video generation models via one API.

0· 101·0 current·0 all-time
bydomm@dommholland
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (LLM + image/video gateway) matches the SKILL.md which shows curl examples against getpost.dev endpoints. That capability is coherent. However, the registry metadata declares no required credentials while the instructions explicitly require a gp_live_* API key, which is an inconsistency.
!
Instruction Scope
The SKILL.md limits runtime actions to curl calls against getpost.dev (signup, chat, generate, jobs). Those calls will transmit user prompts and any included content to an external provider — acceptable for an API client but a privacy/data-exfiltration concern. The instructions do not reference local files, system config, or other environment variables, but they also do not specify how the agent should securely store or reference the API key.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is written to disk by the skill itself. This minimizes installation risk.
!
Credentials
Registry lists no required env vars or primary credential, yet SKILL.md requires an API key (Authorization: Bearer gp_live_YOUR_KEY). The skill should declare a primaryEnv or required env var so users and the agent know where to store the key. Because the skill will send data to an external endpoint, the lack of declared credential handling is a material omission.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent or system-level privileges and does not modify other skill configs.
What to consider before installing
This skill is basically a set of curl examples for the getpost.dev API. Before installing: (1) confirm getpost.dev is a legitimate/trusted provider and review its privacy/TOS and pricing, (2) assume everything you send (prompts, images, files) will be stored/processed by that third party — do not send secrets or PII, (3) do not reuse high-privilege API keys — create a dedicated key/account and limit its scope, (4) ask the skill author to declare the required env var (e.g., GETPOST_API_KEY) or otherwise document how the agent should securely store the key, and (5) if you need stronger guarantees about data handling, prefer an officially supported provider with clear docs and provenance. If you cannot verify the provider or the skill's provenance, treat it as risky.

Like a lobster shell, security has layers — review code before you run it.

latestvk97enyj4t86cw576tm1smxbmrx836pwc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments