ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Joke XD

v1.0.0

Generates chaotic, meme-filled jokes using Gen Alpha/Gen Z slang and surreal humor with short, punchy, internet-culture-packed lines.

1· 94·0 current·0 all-time
bywow@duanc-chao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and the SKILL.md all describe a persona-based joke generator using Gen Alpha/Gen Z slang; no credentials, binaries, or config paths are requested, so requested capabilities align with the stated purpose.
Instruction Scope
The instructions are limited to generating persona-driven jokes and include examples — they do not ask the agent to read files, access credentials, or call external endpoints. However, the SKILL.md triggered a prompt-injection pattern (unicode-control-chars), which could be used to obfuscate additional instructions or manipulate model behavior; this is unexpected for a simple joke skill.
Install Mechanism
No install spec or code files are present; the skill is instruction-only, which minimizes filesystem and execution risk.
Credentials
The skill declares no environment variables, credentials, or config paths — proportionate for a text-only joke persona.
Persistence & Privilege
Defaults are used (always: false, agent invocation allowed). There is no request for permanent presence or changes to other skills/config; nothing indicates elevated privilege requirements.
Scan Findings in Context
[unicode-control-chars] unexpected: The presence of unicode control characters is not expected for a benign persona/instruction file. Such characters can hide or alter prompt text and may be an attempt at prompt injection or obfuscation. The rest of the visible content is benign, but this finding justifies manual inspection of the raw file.
What to consider before installing
This skill appears to do what it says (generate meme-style jokes) and doesn't request secrets or system access. However, the SKILL.md contained unicode control characters flagged as possible prompt-injection/obfuscation. Before installing: (1) ask for the original/raw SKILL.md or view it in a hex/plain-text viewer to confirm there are no hidden instructions, invisible characters, or embedded URLs; (2) prefer installing/running it in a sandbox or on a non-production agent first; (3) avoid granting extra permissions or credentials (none are required); (4) if you allow autonomous invocation, consider disabling that temporarily until you validate the skill's content; and (5) if the skill's source/author is unknown (as here), treat it with extra caution — if you can't validate the raw prompt, don't install or limit its use to isolated testing.

Like a lobster shell, security has layers — review code before you run it.

latestvk977mg3ny82q7sa6b65xg1fgqs8397sk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments