ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

multi-capability-bug-closure-en

v1.0.0

Unified bug investigation and closure by combining source code, database, server logs, and software platform query capabilities. Use when users require evide...

0· 56·0 current·0 all-time
by@hgvgfgvh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description match the SKILL.md: it is meant to combine code, DB, logs, and platform queries. However, the skill declares no required env vars, credentials, or config paths while the runtime instructions assume direct access to databases, log directories, and platform skills. That mismatch (required capabilities implied but not declared) reduces transparency and is disproportionate to an instruction-only skill.
Instruction Scope
Instructions explicitly direct the agent to read source code, run read-only SQL queries, pull server logs, and call platform query capabilities. Those actions are in-scope for the stated purpose, but they are broad and potentially sensitive. The mandatory prompt encourages autonomous use of any available capability systems, which could cause the agent to access connected systems unless constrained externally.
Install Mechanism
No install spec and no code files (instruction-only). That minimizes disk-level risk because nothing is downloaded or written by the skill itself.
!
Credentials
SKILL.md expects access to credentials (databases, logs, platform APIs) and suggests using env vars or secret managers, but the registry metadata lists no required environment variables or primary credential. The skill gives no guidance on which specific secrets it will need or how they will be scoped, audited, or restricted.
Persistence & Privilege
always is false and the skill has no install actions or requests to persist itself or change other skills' config. Autonomous invocation is allowed but that is the platform default; nothing in the manifest requests elevated or persistent privileges.
Scan Findings in Context
[no-findings] expected: This is an instruction-only skill with no code files, so the regex-based scanner had nothing to analyze. The lack of findings is not evidence of safety.
What to consider before installing
This skill is coherent in intent but incomplete in its declarations: it expects the agent to access source code, databases, server logs, and business-platform APIs but does not list which connectors or credentials it will use. Before installing or enabling it: 1) Identify which database/log/platform connectors the agent will use and only provide least-privilege credentials (read-only DB accounts, scoped API tokens). 2) Require explicit user approval before the skill queries any new system or retrieves logs. 3) Ensure audit/logging is enabled so queries and data access are recorded. 4) Test the skill in a sandboxed environment first (with synthetic data) to verify it behaves as expected. 5) Prefer giving access via short-lived tokens or a secrets manager and require the skill to declare which env vars it needs. If you cannot confirm which external systems the skill will touch, treat it as high-risk and avoid giving it credentials or unrestricted access.

Like a lobster shell, security has layers — review code before you run it.

latestvk977dpybbm9m6w6xnkghqqrs5183emsb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments