ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

test

v1.0.0

Manage Trello boards, lists, and cards via the Trello REST API.

0· 157·0 current·0 all-time
by@hjcloud·duplicate of @chaunceyliu/test1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and declared required environment variables (TRELLO_API_KEY, TRELLO_TOKEN) match a Trello integration and are proportionate. However, there are packaging/metadata mismatches: the registry metadata at the top of the evaluation lists owner/slug/name values (owner id: kn7762t..., slug: test11jj, name: test) that do not match the included _meta.json (ownerId: kn70pyw..., slug: trello) nor the SKILL.md (name: trello). This provenance inconsistency could indicate a packaging error or repackaging by a different publisher and should be verified.
Instruction Scope
SKILL.md instructions are narrowly scoped to calling Trello REST endpoints and using jq to parse results; they only reference TRELLO_API_KEY and TRELLO_TOKEN. No instructions ask to read unrelated files or exfiltrate data. One practical mismatch: examples use curl extensively but curl is not listed under required binaries (only jq is declared).
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. That minimizes install-time risk.
Credentials
Only the Trello API key and token are required, which is appropriate for a Trello-management skill. The SKILL.md explicitly warns the token provides full access. No other unrelated secrets or config paths are requested.
Persistence & Privilege
always is false and the skill does not request elevated or always-on privileges. Autonomous model invocation is allowed (default) but this alone is expected and not a separate red flag here.
What to consider before installing
This skill's commands and required Trello credentials are consistent with a Trello integration, but verify who published it before installing. Check that the skill owner/slug in the registry matches the _meta.json and SKILL.md; mismatched metadata can indicate an incorrectly packaged or republished skill. Also note SKILL.md uses curl but curl isn't declared as a required binary — ensure curl is available in your environment. Only provide TRELLO_API_KEY and TRELLO_TOKEN if you trust the skill owner; prefer creating a token with limited scope or a disposable account, and be prepared to revoke the token if you see unexpected behavior. Finally, because this skill can be invoked by the agent, limit autonomous use or monitor actions that modify boards/cards until provenance is confirmed.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c8jaekdnry9aws1vay6cfnh8326x5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📋 Clawdis
Binsjq
EnvTRELLO_API_KEY, TRELLO_TOKEN

Comments