ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Market Analyzer

v2.0.1

Analyze the skill marketplace to identify trends, gaps, opportunities, and competitive positioning. Use when researching skill market dynamics, planning new...

0· 194·0 current·0 all-time
byhaidong@harrylabsj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description promise: analyze OpenClaw skill marketplace and generate data-driven insights. Actual artefacts: a single small shell script that writes a static, hard-coded report; no code to fetch, parse, or analyze marketplace data. This is a clear mismatch — the skill does not implement the functionality it advertises.
!
Instruction Scope
SKILL.md directs the agent to run scripts/analyze.sh and states analysis is local and based on publicly available skill data. The script does not access any data sources, configuration, or environment variables and simply emits canned text. The instructions therefore overstate what will happen and could mislead users into believing a real analysis will be performed.
Install Mechanism
No install spec; the skill is instruction-only with a small shell script. Nothing is downloaded or written to system locations beyond the user-specified output file when the script runs.
Credentials
The skill declares no required environment variables, no credentials, and references no config paths. The static script does not access secrets or external services, so requested environment access is proportionate (none).
Persistence & Privilege
always is false; the skill does not request persistent presence, does not modify other skills, and contains no installation hooks. It only writes its output file when invoked.
What to consider before installing
This package is effectively a stub: it promises marketplace analysis but only contains a simple shell script that writes a static report. Before installing or trusting results, consider: 1) Don’t expect real data-driven insights — the script does not fetch or analyze marketplace data. 2) If you need real analysis, ask for or inspect code that reads skill data (APIs, exports, or local datasets). 3) Verify the author/maintainer and request transparency about data sources and methods. 4) Running the script is low-risk (it only writes a local report file), but treat its output as placeholder text unless the skill is updated to include actual data collection and analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk97abn2ajjbfzwp2w62gdka0td83apdf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments