Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
PagerDuty On-Call
v1.0.0Manage PagerDuty incidents, on-call schedules, escalation policies, and services via the PagerDuty REST API. Use when you need to: (1) List or acknowledge ac...
⭐ 0· 65·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name, description, SKILL.md, and the included script all describe PagerDuty REST and Events API operations (list/ack/resolve/trigger/oncall/etc.), which is coherent with the stated purpose. However the registry metadata declares no required environment variables or primary credential even though both SKILL.md and scripts/pd.py require PAGERDUTY_API_KEY (and the script optionally uses PAGERDUTY_INTEGRATION_KEY and PAGERDUTY_FROM_EMAIL). The missing declaration of required credentials in metadata is an inconsistency.
Instruction Scope
SKILL.md instructs the agent to set PAGERDUTY_API_KEY and optionally PAGERDUTY_FROM_EMAIL, and to run the included CLI or call the documented PagerDuty API endpoints; the runtime instructions and examples map directly to actions in scripts/pd.py. The instructions do not request unrelated files, system-wide credentials, or external endpoints beyond PagerDuty.
Install Mechanism
There is no install spec (instruction-only behavior) and no downloads; the package includes a single Python script which runs locally. This is lower risk than remote installs. The script makes network calls to official PagerDuty endpoints (api.pagerduty.com and events.pagerduty.com), which is expected for this skill.
Credentials
The code requires PAGERDUTY_API_KEY and may use PAGERDUTY_INTEGRATION_KEY and PAGERDUTY_FROM_EMAIL, but the skill metadata declared no required env vars or primary credential. Required env vars with names like *_KEY / *_TOKEN are sensitive; they are appropriate for a PagerDuty integration but should be declared in metadata and documented with minimum needed scopes. The omission makes it unclear what secrets the platform should protect or prompt for.
Persistence & Privilege
The skill does not request always:true and uses default autonomy settings. It does not attempt to modify other skills or system configuration. No elevated persistence or cross-skill privileges are requested.
What to consider before installing
This skill appears to be a legitimate PagerDuty CLI (the included script talks only to PagerDuty endpoints). However, the registry metadata fails to declare the required environment variables (the SKILL.md and the script require PAGERDUTY_API_KEY and optionally PAGERDUTY_INTEGRATION_KEY and PAGERDUTY_FROM_EMAIL). Before installing, verify: (1) you are comfortable providing a PagerDuty API key to the skill and that the key has the minimum scopes needed (prefer least privilege), (2) rotate the key after testing, (3) confirm the skill source/trustworthiness since Homepage is missing and source is unknown, and (4) consider running the script in an isolated environment first. If you need higher assurance, ask the publisher to update the registry metadata to declare the primary credential (PAGERDUTY_API_KEY) and to document required scopes; that inconsistency is why this is flagged as suspicious.Like a lobster shell, security has layers — review code before you run it.
latestvk97cffqx08t05m8ezrptghy8c983ajjb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.