ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

NPM Package Scanner

v1.0.0

Scan npm packages used in a repository for risk, maintenance health, and upgrade concerns.

0· 149·0 current·0 all-time
by@geoffrey-xiao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (inspect package.json/lockfiles and run audits) aligns with the requested binaries (rg, jq, npm). However bun is listed as a required binary even though many repos will not use Bun; pnpm and yarn are referenced in the instructions but are not declared as required. Requiring bun as mandatory is disproportionate for a generic npm-scanner and could cause unnecessary install failures.
Instruction Scope
Runtime instructions stay within the stated purpose: locate manifests, read package.json/locks, list dependencies, and run package-manager audits. The skill references local files (manifests, locks) and runs audit/list commands but does not instruct the agent to modify dependencies. Note: it references 'references/checklist.md' and 'references/commands.md' which are not present in the skill bundle.
Install Mechanism
Instruction-only skill with no install spec or code files — nothing is written to disk by the skill itself. This is low risk from an install perspective.
Credentials
No environment variables, credentials, or config paths are requested. The skill does not ask for secrets and only needs local repo access and standard developer tools.
Persistence & Privilege
always is false and the skill does not request any persistent agent-wide privileges. Autonomous invocation is allowed by default but there are no elevated persistence claims.
What to consider before installing
This is an instruction-only repo-inspection skill that mostly does what it says: reads package manifests and runs package-manager audits. Before using it, ensure the required tools (rg, jq, npm, and currently required bun) are actually available — bun may be unnecessary for many projects but is declared mandatory. Be aware that npm/pnpm/yarn audit commands contact package registries (network activity) and may return noisy results; the skill does not request secrets. Also note the skill references local helper files (references/*.md) that are not included. If you want to use it on a repo that uses pnpm or yarn, either install those tools or update the skill to declare them. If you’re unsure, run the commands manually first to confirm outcomes and network behavior before granting the agent autonomous runs.

Like a lobster shell, security has layers — review code before you run it.

latestvk9721ahzdq3xrehz2ejbcjma1x834k17

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsrg, jq, bun, npm

Comments