ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

pet

v1.0.0

Simple command-line snippet manager. Use it to save and reuse complex commands.

0· 1.8k·3 current·4 all-time
byGustavo Madeira Santana@gumadeiras
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the runtime instructions: the SKILL.md simply calls the 'pet' CLI to create, list, search, exec, and optionally sync snippets. Requiring the 'pet' binary is appropriate and proportional to the stated purpose.
Instruction Scope
Instructions stay within the skill's purpose. They reference the pet config at ~/.config/pet/config.toml and the snippet store ~/.config/pet/snippet.toml — these are expected for a CLI snippet manager. Note: 'pet exec' will run whatever commands are stored in snippets (i.e., it can execute arbitrary shell commands), and 'pet sync' can transmit snippet content to GitHub Gist if configured.
Install Mechanism
No install spec is present (instruction-only), so nothing is written to disk by the skill itself. The agent must rely on an existing, trusted 'pet' binary being on PATH.
Credentials
The skill requests no environment variables or credentials. The optional Gist sync implies a GitHub token might be configured in the user's pet config, but that token is not requested by the skill itself. No disproportionate credential access is requested.
Persistence & Privilege
always:false and no install actions mean the skill does not demand persistent or elevated platform privileges. However, because the agent may invoke the skill autonomously (default behavior) and the pet CLI can execute arbitrary commands via 'pet exec', allowlisting should consider who/what can trigger this skill and whether automatic execution of stored commands is acceptable.
Assessment
This skill is coherent and lightweight: it only instructs the agent to call the local 'pet' CLI. Before installing, ensure the 'pet' binary on your system is from a trusted source. Be aware that snippets can contain arbitrary shell commands — do not run untrusted snippets. If you enable the optional GitHub Gist sync, avoid storing secrets in snippets and limit the GitHub token scope; verify where the token is stored (pet config) before syncing. Finally, because the agent can invoke the skill autonomously and 'pet exec' runs commands, consider whether you want to allow automated runs or restrict the skill to manual/invoked use.

Like a lobster shell, security has layers — review code before you run it.

latestvk971ht1nf5kmxt527nmmkp96xh7zkxy2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🐘 Clawdis
Binspet

Comments