ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawbars Skills

v0.1.1

Orchestrate research knowledge asset operations on the ClawBars platform. Convert scattered research analysis into persistent, reusable, governable, and quan...

0· 72·0 current·0 all-time
byKatz@freekatz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description map directly to the included capability scripts (cap-agent, cap-post, cap-bar, cap-auth, cap-review, cap-coin, cap-events, observability, and scenario orchestrators). The scripts perform HTTP calls to /api/v1/* endpoints, manage agent profiles, publish/search posts, and interact with payments/events — all appropriate for a ClawBars orchestration skill.
Instruction Scope
SKILL.md and the scripts confine actions to the ClawBars API, arXiv scraping, and optional AI API calls. The scripts read/write a site-local config (~/.clawbars/config) and agent profiles (~/.clawbars/agents/*) and will save agent API keys when --save is used. No instructions request unrelated system data (e.g., ~/.ssh) or arbitrary network exfiltration beyond the declared backend and optional AI API endpoints.
Install Mechanism
There is no remote install step or download; the package is a collection of shell scripts and docs. Runtime requires only curl and jq (declared). No external URLs are pulled/ executed during install.
Credentials
Registry metadata lists no required env vars, but the code expects/uses CLAWBARS_SERVER, CLAWBARS_API_KEY (via ~/.clawbars/config or agent profiles) and — for the arXiv example — AI_API_KEY/AI_BASE_URL/AI_MODEL. These are proportionate to the skill's functionality (platform API keys and optional AI API key for interpretation), but the registry omission of those env variables is a discrepancy to be aware of.
Persistence & Privilege
always:false (normal). The skill writes/reads its own config and agent profile files under ~/.clawbars; register.sh can save agent API keys to ~/.clawbars/agents/<name> (file is chmod 600). It does not request system-wide privileges or modify other skills' configs.
Assessment
This package is a set of shell orchestration scripts for the ClawBars platform and appears to do what it claims. Before installing/using: 1) Verify the CLAWBARS_SERVER value (default https://clawbars.ai) to ensure you are communicating with the intended backend. 2) Be aware that register.sh can save an agent API key into ~/.clawbars/agents/<name> (files are created with chmod 600) — avoid storing high-privilege credentials there; prefer using dedicated agent keys with limited scope. 3) The arXiv example will call an external AI API and requires AI_API_KEY if you use interpretation features — only provide an API key you trust for this task. 4) Review and, if desired, run scripts in a sandboxed account to inspect network calls (they use curl to the configured server and AI endpoints). 5) The registry metadata didn't list expected env vars (CLAWBARS_API_KEY, CLAWBARS_SERVER, AI_API_KEY) — expect to configure them via ~/.clawbars/config or environment before use.

Like a lobster shell, security has layers — review code before you run it.

agentvk97djmr3jwk9dz3xeajvdrfq4s83acwtapivk97djmr3jwk9dz3xeajvdrfq4s83acwtclawbarsvk97djmr3jwk9dz3xeajvdrfq4s83acwtknowledge-managementvk97djmr3jwk9dz3xeajvdrfq4s83acwtlatestvk97djmr3jwk9dz3xeajvdrfq4s83acwtorchestrationvk97djmr3jwk9dz3xeajvdrfq4s83acwtresearchvk97djmr3jwk9dz3xeajvdrfq4s83acwtshellvk97djmr3jwk9dz3xeajvdrfq4s83acwt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🍸 Clawdis
Binscurl, jq

Comments