Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Community Connector
v0.1.0Helps users find local community resources, events, and support groups based on their interests, location, and availability.
⭐ 0· 49·0 current·0 all-time
byhaidong@harrylabsj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
The skill's name/description match the code and SKILL.md: handler.py parses user text and builds connection plans; index.js provides a CLI that prints example results. Minor inconsistency: registry metadata lists no required binaries, yet the package contains both Python (handler.py) and Node.js files (index.js, test.js), so running the provided files will require Python and Node.js runtimes. This is an implementation detail, not a functional mismatch with the skill's purpose.
Instruction Scope
SKILL.md runtime instructions are limited to using the community-connector CLI and provide examples. There are no instructions to read arbitrary system files, access unrelated environment variables, or send data to external endpoints. One development note points to a local design document path (/Users/jianghaidong/...), which is just a leftover developer path and not an instruction to read that file at runtime.
Install Mechanism
No install spec is provided (instruction-only), so nothing will be downloaded or installed automatically. This is lower risk. Running the included code locally would require installing Node and/or Python, but the package does not attempt to install anything itself.
Credentials
The skill declares no required environment variables, credentials, or config paths and the code does not reference any secrets or external credential-like environment variables. There is no indication of disproportionate credential requests.
Persistence & Privilege
The skill does not request permanent presence (always=false) and does not modify system-wide or other-skill configurations. It contains only handler logic and CLI stubs; nothing indicates elevated or persistent privileges.
Assessment
This package appears to implement what it claims: local-parsing heuristics (handler.py) and a small CLI with placeholder outputs (index.js). Before installing or running: 1) note that the bundle includes both Python and Node.js files — you will need the corresponding runtimes to run tests or the handler; the registry metadata did not list these runtimes, which is a minor inconsistency. 2) The CLI currently prints static/example results (TODOs) rather than performing remote lookups; review/implement any data sources you trust before using it to fetch real data. 3) The SKILL.md references a local developer path — this is likely a leftover and not an active instruction, but avoid running unknown code in production; run it in a sandbox or review the code (handler.py, index.js, test.js) yourself. 4) There are no requested secrets or network endpoints in the code, so there is low risk of silent credential exfiltration, but always verify for added network calls if you or others modify the code.test.js:8
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk9706df6gr5f7cmmk8n320a83x84dgj4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.