ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fact Check

v0.1.1

This skill should be used when the user asks to "fact check", "verify this", "is this true", "check the facts", "validate claims", "are these field names cor...

0· 69·0 current·0 all-time
byFuturize Rush@futurizerush
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the instructions: verifying version numbers, API fields, CLI flags, file paths and dates legitimately requires the tools and checks listed (curl, npm/pip/gh, ls, grep, date, etc.).
!
Instruction Scope
SKILL.md instructs the agent to run shell commands that read files (ls, grep), query local repos, run network requests (curl), and call tooling (gh, npm, pip). These actions are coherent for verification, but they grant broad access to local files and external endpoints; the guidance is fairly prescriptive about running those commands and labeling results, which could lead to unintended disclosure of sensitive local data if not constrained.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk (nothing is written to disk by the skill itself).
Credentials
The skill declares no required environment variables, yet it instructs use of tools that commonly require credentials for private resources (e.g., gh for private repos, APIs that need tokens). This is explainable if only public resources are targeted, but the mismatch should be noted and the skill should prompt for credentials only when necessary.
Persistence & Privilege
No elevated persistence requested (always:false). The skill does not request to modify other agent configs or remain force-enabled.
What to consider before installing
This skill is coherent for verifying technical claims, but it directs the agent to run commands that can read local files and make network requests. Before installing: (1) confirm you trust the skill source (no homepage or author provenance is provided); (2) run the skill in a sandbox or restrict its filesystem/network access if possible; (3) be prepared to provide credentials (e.g., GH token) only when you explicitly want checks against private resources; (4) review and, if needed, limit any automated commands that will read paths you consider sensitive. If you need stronger assurance, ask the publisher for a README or provenance (homepage, repo) and for the skill to explicitly declare which env vars it will use.

Like a lobster shell, security has layers — review code before you run it.

accuracyvk97fnm67k7fttf7z045ztapsxx84mvpvai-agentvk97fnm67k7fttf7z045ztapsxx84mvpvanti-hallucinationvk97fnm67k7fttf7z045ztapsxx84mvpvevidencevk97fnm67k7fttf7z045ztapsxx84mvpvfact-checkvk97fnm67k7fttf7z045ztapsxx84mvpvlatestvk97fnm67k7fttf7z045ztapsxx84mvpvurl-verificationvk97fnm67k7fttf7z045ztapsxx84mvpvverificationvk97fnm67k7fttf7z045ztapsxx84mvpv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments