ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tidepool

v1.0.1

Build and deploy any kind of web app without leaving the command line. This project is built for autonomous AI agents. Handles auth, Stripe payments, admin p...

1· 88·0 current·0 all-time
by@greydanus
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill declares and requires the 'tidepool' CLI and its SKILL.md shows CLI usage (pip install tidepool, tidepool init/dev/deploy). There are no unrelated env vars, binaries, or config paths requested that would be inconsistent with a web-deploy CLI.
Instruction Scope
Runtime instructions include network calls (curl https://tidepool.sh/api), installing/running the tidepool CLI, and APIs (tp.http, tp.email, tp.files, tp.db) that allow outbound HTTP and reading project-local secrets at tp_data/secrets.json. These behaviors match a deploy tool but give the agent the ability to make arbitrary outbound requests and read project-local secret files — expected for this purpose but worth attention.
Install Mechanism
Install spec is an external package (uv/pip install tidepool) which is expected for a CLI tool. Installing a third-party Python package from a registry is normal but carries supply-chain risk — verify package provenance (PyPI name, owner, homepage, source) before installing.
Credentials
No required environment variables or system credentials are requested up-front. Payment features (Stripe) are documented but handled via explicit secret push or project secrets — this is proportionate as long as you do not expose unrelated credentials to the skill.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide config changes. Agent autonomous invocation is allowed (platform default) but not coupled with elevated persistent privileges in this package.
Assessment
This skill appears to do what it says (a CLI web app deployer) but it installs a third‑party Python package and performs network operations. Before installing: (1) verify the tidepool package/source (homepage, PyPI owner, repository) to ensure authenticity; (2) avoid pasting real production secrets into prompts — use test keys or inject secrets via your secure secret store rather than terminal history; (3) treat the install as running untrusted code (consider installing in an isolated environment or container); (4) review what will be stored under tp_data/ (secrets.json, db) and do not place system or cloud credentials there; (5) expect the CLI to make outbound HTTP requests (the curl to tidepool.sh/api and tp.http calls) — if you need an offline/sandboxed review, fetch the package source first and inspect it.

Like a lobster shell, security has layers — review code before you run it.

latestvk971cq7vs9h86q9fax69hvr1an8374s1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌀 Clawdis
Binstidepool

Install

Install Tidepool CLI (pip/uv)
Bins: tidepool
uv tool install tidepool

Comments