ClawHub

AutoHeal AI

v1.0.0

Add AI-powered error monitoring and auto-fix generation to any project

0· 432·2 current·2 all-time
by@hankmint
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (capture JS/TS errors and send them to an AutoHeal service) matches the included instructions and scripts. However, registry metadata incorrectly lists no required environment variables while SKILL.md and scripts require AUTOHEAL_API_KEY. This metadata mismatch is an incoherence that could mislead users about credential requirements.
!
Instruction Scope
Runtime instructions instruct sending error messages, stacks, source URLs, and a key to https://autohealai.com/api/errors/ingest. The browser snippet encourages (and appears to expect) putting the API key into client-side code (uses process.env in a browser context and falls back to a literal key), which would expose the key to end users. The instructions do not warn about potentially sensitive or PII-containing data in stack traces or page URLs nor do they recommend server-side proxying or scrubbing before transmission.
Install Mechanism
This is an instruction-only skill with no install spec and no remote downloads; included code is a small local shell script. There is no installer that fetches remote code or creates binaries, so installation risk is low.
!
Credentials
The skill legitimately needs a single API key (AUTOHEAL_API_KEY) to call the third-party service, which is proportionate to the stated purpose. However, the registry metadata omits this requirement (contradiction). More importantly, the provided browser instructions would effectively leak that credential if embedded client-side; the skill also instructs sending stack traces and page URLs to an external domain, which can contain secrets or PII. These data-exfiltration risks are not justified or mitigated in the docs.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not request system-wide configuration changes. It has normal, limited presence (instruction-only and a helper script).
What to consider before installing
This skill appears to perform error collection and reporting to a third-party service, which is coherent with its description, but proceed cautiously. Before installing: - Confirm the registry metadata is corrected to list AUTOHEAL_API_KEY as required so you know a credential is needed. - Do NOT embed your API key in client-side/browser code — that exposes the key to anyone who can open your site. Prefer server-side ingestion, or issue a short-lived/bound key for client usage. - Review what you will send in stack traces and URLs; they often contain PII, secrets, or internal paths. Add scrubbing, redaction, or proxying on the server before forwarding to autohealai.com. - Verify the endpoint (https://autohealai.com) and the service's privacy/security policies; test with a rotated or limited-scope key first. - If you need help making the integration safe, ask the skill author to provide server-side integration examples and explicit guidance about sensitive-data handling. If the author cannot explain the metadata omission and safe client handling, treat the package with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bn74ftxags6097mgvne34ps82003s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments