ClawHub

Clawhub Skill Monitor

v1.0.0

Query public skills published by a ClawHub user from the real public API. Returns skill list, versions, timestamps, and metadata. Does not fabricate installs...

0· 43·0 current·0 all-time
byhaidong@harrylabsj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description promise a public-metadata monitor and the bundle contains a single script that pages the public package endpoints, filters by ownerHandle, and returns metadata. No unrelated binaries, credentials, or config paths are requested.
Instruction Scope
SKILL.md instructs running the included script with a username and optional flags (format, export, page-size). The instructions do not direct the agent to read arbitrary files or environment variables, nor to post data to endpoints other than the declared ClawHub API host. The script may perform many API requests if the user increases scan depth or requests details, which is expected behavior for this use case.
Install Mechanism
No install spec is provided (instruction-only with a shipped script). Nothing is downloaded during install and no external archives or unknown URLs are used.
Credentials
The skill requires no environment variables, credentials, or config paths. The code uses network access to the ClawHub public API (CLAWHUB_BASE_URL) only, which is proportional to the stated purpose.
Persistence & Privilege
always is false and the skill does not request permanent elevated privileges or modify other skills' configs. It writes only user-specified CSV exports to disk, which is expected for an export feature.
Assessment
This skill appears to do exactly what it says: it queries the ClawHub public API for an author's public skill metadata and can export results to CSV/JSON/text. No credentials are needed. Before installing, consider: (1) the script will make network requests to https://clawhub.ai and may perform many requests if you set large page limits or enable per-package detail fetching; (2) exported CSVs are written to the local filesystem at a path you specify; (3) if you want extra assurance, review the full scripts/clawhub_monitor.py file (it is included) — it uses requests/urllib for HTTP calls and does not appear to contact any other external hosts or read secrets. If those behaviors are acceptable, the skill is coherent and safe to install from a security-proportionality perspective.

Like a lobster shell, security has layers — review code before you run it.

latestvk973tzejjk8gyqbmxc3xzh4b1x83yxrv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments