ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Seekers Tool

v1.0.0

A Python CLI tool to convert websites, GitHub repos, and various documents into Claude AI skills or other supported AI skill formats.

0· 60·0 current·0 all-time
by@fan166
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim a Python CLI that converts docs/repos/sites into AI-skill packages; the runtime instructions show exactly that (pip install skill-seekers, create/package commands). No unrelated credentials, binaries, or config paths are requested, so the declared purpose aligns with required artifacts.
Instruction Scope
SKILL.md gives explicit CLI commands to install the package and to create packages from URLs, GitHub repos, local directories, and many document types. This is consistent with the stated purpose, but the instructions inherently require reading local files/directories when the user points the tool at them — users should avoid giving it access to sensitive paths. The doc does not instruct the agent to access unrelated system config or secrets.
Install Mechanism
There is no platform install spec in the registry (instruction-only), but the SKILL.md tells users to pip install the package from PyPI (and optional extras). Installing a third-party PyPI package is expected for this tool, but it carries the usual risk that package installation executes arbitrary code on the host. The listed upstream URLs (PyPI, GitHub, project website) are appropriate references rather than obscure download hosts.
Credentials
The skill requests no environment variables, credentials, or config paths, which is proportionate. The tool may process user-supplied local files and network resources (e.g., GitHub, websites), which matches the purpose; there is no hidden request for unrelated secrets.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. It does not attempt to modify other skills or system-wide agent configuration in the provided instructions.
Assessment
This skill appears to do what it claims, but take normal precautions before installing/running third-party tooling: 1) Inspect the PyPI package and GitHub repository (source, maintainer, recent activity) before pip installing. 2) Install in an isolated environment (virtualenv/container) and pin the package version. 3) Avoid pointing the tool at sensitive directories or files; only supply the specific docs/repos you want converted. 4) Do not provide secrets or credentials to the tool unless you understand why they're needed. 5) If possible, review the package source code (or run it in a sandbox) to ensure it doesn't exfiltrate data or perform unexpected network activity.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ay9krfsdx0as6jkcjwcx7p583hqc3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments