ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

W Skill Pack

v1.0.0

Provides weather info, word learning, Wikipedia search, writing help, workout plans, web search, weight tracking, and hydration reminders.

0· 6·0 current·0 all-time
bybittao@hgta23
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description list weather, word learning, wiki, writing help, workouts, web search, weight tracking, and water reminders — and the included main.py implements those features. However, the SKILL.md and code reference third‑party APIs (OpenWeatherMap, Google Custom Search) that require API keys, yet the skill metadata does not declare any required environment variables or primary credential. This mismatch is unexpected and reduces transparency.
Instruction Scope
SKILL.md instructs how to import and call functions and documents which functions need API keys. The runtime instructions and code only perform straightforward actions (HTTP requests to public APIs, in‑memory storage) and do not read unrelated system files or hidden endpoints.
Install Mechanism
No install spec is provided (instruction-only), and requirements.txt only lists the widely used 'requests' package. No downloads from unknown hosts or archive extraction are present.
!
Credentials
The SKILL.md explicitly states some functions require API keys (OpenWeatherMap, Google Custom Search), but the package metadata lists no required environment variables or credentials. The code embeds placeholder strings like 'YOUR_OPENWEATHER_API_KEY' instead of reading declared env vars. This is an inconsistency: users may be prompted to modify code to add keys or may not realize keys are needed, which increases the chance of insecure key handling.
Persistence & Privilege
The skill does not request persistent system presence (always is false), does not modify other skills or system configuration, and only stores user data in memory (weight logs, workout plans, reminders). There is no evidence of elevated privileges or background persistence.
What to consider before installing
This skill's behavior largely matches its description and only makes normal HTTP requests to public APIs, but it refers to API keys while not declaring any required credentials. Before installing: (1) confirm how the skill expects you to provide API keys — ideally via platform environment variables rather than editing source code; (2) avoid pasting secrets into free‑text fields or public code — prefer platform-provided secret storage; (3) if you need Google/OpenWeather keys, add them via the agent's supported secure env var mechanism or ask the author to update the skill to read declared env vars; (4) review the source (main.py) yourself if you will supply keys, and run the skill in a sandbox if you’re unsure. The code has no other obvious exfiltration or persistence behavior, but the missing credential declarations are a transparency issue that should be resolved before trusting the skill with API keys.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ap61cte0ydxq6mg934gezsx84apdp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments