ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Jack Cloud

v0.3.1

Deploy web services to the cloud with Jack. Use when: you need to create APIs, websites, or backends and deploy them live. Teaches: project creation, deploym...

0· 1.3k·0 current·0 all-time
by@hellno
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (deploy web services) align with requested binaries (node, npm) and the SKILL.md instructions to install and use the @getjack/jack CLI. The listed external endpoints (auth.getjack.org, control.getjack.org) and behaviors (upload source during `jack ship`, store auth at ~/.config/jack/auth.json) are coherent with a deployment service.
Instruction Scope
Instructions explicitly tell the agent/user to install the CLI, run interactive OAuth login, and upload project source code and metadata during `jack ship`. This is expected for a deploy tool, but it does mean your source code and project metadata are transmitted to control.getjack.org — a privacy/exfiltration surface the user should be aware of.
Install Mechanism
No formal platform install spec in the registry, but SKILL.md recommends `npm i -g @getjack/jack` (a public npm package). Global npm installs are common for CLIs but run arbitrary package code locally; reviewing the npm package and publisher is advisable before installing.
Credentials
The skill requests no environment variables or external credentials in metadata; authentication is interactive OAuth and tokens are stored at ~/.config/jack/auth.json. The declared access matches the instructions (no unexpected credential requests or hidden env reads).
Persistence & Privilege
Skill is not always-enabled and uses normal agent invocation. It creates local artifacts (.jack/project.json, auth.json) and uploads project data as part of normal operation — this is expected and limited to the tool's scope. It does not request elevated system-wide privileges.
Assessment
This skill appears to be what it claims, but take these practical precautions before using it: 1) Understand that `jack ship` uploads your project source and metadata to Jack Cloud (control.getjack.org); do not ship sensitive secrets in code or commit private keys. 2) The CLI is distributed via npm — review the package and publisher on the npm registry (publisher, package readme, source repo) before running `npm i -g @getjack/jack`. 3) OAuth tokens will be stored locally at ~/.config/jack/auth.json; protect that file and remove tokens when no longer needed. 4) If you need to limit blast radius, test in an isolated environment or throwaway account/repo, or inspect the package source first. 5) If you require stronger guarantees about where your code or data go, verify Jack Cloud's privacy/security documentation or consider an alternative deployment flow (e.g., using your own Cloudflare account/wrangler).

Like a lobster shell, security has layers — review code before you run it.

latestvk977q1z8djnnrwhv7pm1np44dd81874z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🃏 Clawdis
Binsnode, npm

Comments