ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

IteraTools API

v1.2.0

Call the IteraTools multi-tool API (api.iteratools.com) — 80+ tools for AI agents: image generation (Flux), browser automation (Playwright), web scraping, TT...

0· 94·0 current·0 all-time
by@fredpsantos33
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the instructions: this is a multi-tool API/MCP connector (image, web, TTS, code exec, etc.). That capability would legitimately require an API key and network access to api.iteratools.com or mcp.iteratools.com; however, the registry metadata lists no required environment variables or primary credential, creating a mismatch between claimed requirements and actual instructions.
Instruction Scope
SKILL.md sticks to the stated purpose: examples show running the MCP client (npx mcp-iteratools), setting ITERATOOLS_API_KEY, adding an MCP server entry, and calling the REST API. It does not instruct the agent to read unrelated files or exfiltrate data, nor does it request system-level config beyond adding an MCP server entry.
Install Mechanism
There is no formal install spec (instruction-only), but the docs instruct use of `npx mcp-iteratools`. That means code will be fetched from the npm registry and executed on demand. This is a normal distribution method, but it does execute remote code transiently — users should verify the npm package and its GitHub source before running.
!
Credentials
The SKILL.md repeatedly references ITERATOOLS_API_KEY and Authorization: Bearer it-... for pay-per-use access, but the registry metadata declares no required env vars or primary credential. The skill will likely need an API key and billing/micropayment setup; the omission in metadata reduces transparency and could lead users to supply credentials without realizing the requirement or billing implications.
Persistence & Privilege
Flags show normal privileges (always: false, user-invocable: true). The skill does not request persistent system-wide modifications or privileged config paths in the documentation; it only suggests adding an MCP server entry or running npx locally.
What to consider before installing
Before installing/using this skill: (1) Expect to need an IteraTools API key and to incur pay-per-use charges — verify pricing and billing behavior. (2) The registry metadata omitted required env vars; don't assume no credentials are needed. (3) The quick start uses `npx mcp-iteratools` which downloads and runs code from npm — review the npm package and its GitHub repo (links are provided in SKILL.md) to confirm trustworthiness. (4) If you must try it, run the npx command in a sandboxed environment or container and only provide an API key with minimal scope; monitor usage/billing after first calls. (5) If you use in a production agent, add explicit policy controls limiting when the agent can call this external service and require user confirmation for cost-incurring operations.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ada1hd2djjxr3f2zjc8hre983vgwj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Links

Homepagehttps://iteratools.com

Comments