ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

test

v1.0.0

Manage test boards, lists, and cards via the Trello REST API.

0· 152·0 current·0 all-time
by@fxdm41202425·duplicate of @chaunceyliu/test1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md implements Trello REST API operations and requires TRELLO_API_KEY and TRELLO_TOKEN, which is proportionate to the stated purpose. Minor inconsistency: the top-level metadata lists the skill name as "test"/slug fxdm-test-skill while SKILL.md uses name: "trello"; _meta.json ownerId also differs from the registry ownerId. These are likely packaging/metadata errors but should be confirmed with the publisher.
Instruction Scope
Runtime instructions are explicit and limited to calling Trello endpoints with curl and formatting output with jq. They do not ask for unrelated files or system data. However, the instructions rely heavily on curl (numerous curl examples) but the required binaries list only jq — curl is not declared as a required binary. Also the skill runs network requests using the provided API key/token (expected for this purpose) — be aware the agent will transmit your Trello credentials to api.trello.com when invoked.
Install Mechanism
Instruction-only skill with no install spec or code files. This is the lowest-risk install model because nothing is written to disk by the skill bundle itself.
Credentials
The skill only requests TRELLO_API_KEY and TRELLO_TOKEN, which are appropriate and necessary for the Trello REST API. The SKILL.md explicitly warns the credentials provide full account access. No other unrelated secrets or config paths are requested.
Persistence & Privilege
The skill is not marked always:true and does not request modification of other skills or agent-wide settings. It can be invoked autonomously (default), which is normal — but combined with network access and your Trello token that increases the blast radius if you enable autonomous actions.
What to consider before installing
This skill appears to do exactly what it says: run curl calls against the Trello REST API and format results with jq. Before installing: 1) Confirm the publisher/metadata mismatch (skill labeled "test" vs SKILL.md "trello" and differing ownerId) — this is likely benign but worth verifying. 2) Ensure curl is available on your agent host (the SKILL.md assumes curl but the required binaries list only jq). 3) Treat TRELLO_API_KEY and TRELLO_TOKEN as sensitive — they grant full account access; store them securely and consider creating a limited-scope token if possible. 4) Remember the agent can perform network operations autonomously by default; if you don’t want the agent to act without explicit approval, disable autonomous invocation for this skill. If you want, ask the publisher to fix metadata and declare curl in required binaries for clearer provenance.

Like a lobster shell, security has layers — review code before you run it.

latestvk972km0phnqw0dd5sc49d1ep9x83289n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📋 Clawdis
Binsjq
EnvTRELLO_API_KEY, TRELLO_TOKEN

Comments