Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI Common Sense
v0.1.1Use when user mentions model names, versions, pricing, API IDs, "which model should I use", "what's the latest model", "model comparison", "API pricing", "wh...
⭐ 0· 57·0 current·0 all-time
byFuturize Rush@futurizerush
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the contents: the files are a curated reference of model names, IDs, pricing, deprecations and verification guidance. No unexpected cloud or system-level capabilities are requested.
Instruction Scope
SKILL.md instructs agents to use WebSearch/WebFetch to verify stale entries and provides concrete verification commands (curl, npm/pip checks). That is in-scope for verifying model IDs and pricing. However the instructions also include shell examples that use environment-variable placeholders (e.g., $OPENAI_API_KEY) and allow tools including Bash and Read, which expands the agent's ability to run commands or access files if enabled — the guidance itself does not explicitly limit those actions.
Install Mechanism
Instruction-only skill with no install spec and no code files. No archives or downloads, so nothing is written to disk by an installer — low install risk.
Credentials
The skill declares no required environment variables or credentials, yet the documentation and curl/sdk examples reference many provider API key environment variables (OPENAI_API_KEY, ANTHROPIC_API_KEY, MISTRAL_API_KEY, COHERE_API_KEY, GOOGLE_API_KEY, etc.). This is an incoherence: either the skill should declare and justify required secrets or the instructions should avoid examples that could cause an agent to read local secrets. If the agent is permitted to run Bash/Read, those example commands could lead to use or exposure of local API keys.
Persistence & Privilege
always:false and no install hooks; skill is user-invocable only and does not request persistent/system-wide configuration or modifications. Autonomous invocation is allowed by default but is not combined with other broad privileges here.
What to consider before installing
This skill appears to be a useful, instruction-only reference for model IDs and pricing and includes sensible advice to verify stale data via web search. Before enabling it: 1) Be cautious about permitting Bash/Read for the agent — if you allow those tools the agent could run the curl/npm commands shown and may read environment variables or files containing API keys. 2) If you plan to let the skill verify provider APIs, only supply explicit API credentials you trust and expect the skill to use; otherwise avoid giving any provider keys. 3) Prefer letting the skill use WebSearch/WebFetch to check public docs (no credentials required) rather than running authenticated API calls. 4) If you need a stricter guarantee, ask the skill author to remove embedded curl examples that reference $ENV secrets or to declare required env vars explicitly. Overall: coherent and probably benign in intent, but the mismatch between examples that use API keys and the declared lack of required credentials is a real risk if the agent is allowed to execute shell commands or read environment variables.Like a lobster shell, security has layers — review code before you run it.
latestvk9713fxhq244tn3n1vfw6qgz8s84nk46
License
MIT-0
Free to use, modify, and redistribute. No attribution required.