ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Trending Skills

v0.1.0

Fetches skills.sh trending rankings. Use when asking about skill rankings or popular tools.

0· 894·3 current·3 all-time
by@hjw21century
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (fetch skills.sh trending rankings) align with the included code and instructions. The Python files implement a Playwright-based scraper for the trending page and a requests/BeautifulSoup detail fetcher. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md gives concrete steps: run skills_fetcher.py (requires Playwright+chromium) for rankings and detail_fetcher.py (requires requests, bs4, lxml) for details. The runtime behavior is limited to HTTP GETs of skills.sh (or an alternate SKILLS_BASE_URL if the environment overrides it) and local HTML parsing. The only minor scope note: config supports SKILLS_BASE_URL env override — if set to an attacker-controlled host the scraper would fetch that host instead of the official site.
Install Mechanism
No explicit install spec in registry metadata (instruction-only), but SKILL.md instructs installing Playwright and running 'playwright install chromium --with-deps', which will download browser binaries and system dependencies via Playwright. This is expected for a headless-browser scraper but requires network access and elevated disk usage; the install commands come from public packages (pip/playwright).
Credentials
The skill declares no required environment variables or credentials. The only relevant env var in code is SKILLS_BASE_URL (optional override) which is proportional to the scraper purpose. No secrets/tokens/keys are requested.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges or modify other skills. It runs as an on-demand scraper and does not attempt to store or escalate privileges.
Assessment
This skill appears to do what it says: scrape skills.sh for trending rankings and optionally fetch detail pages. Before installing/run: 1) Be aware you'll be asked to install Playwright and Chromium which download browser binaries and may require system libraries—use a virtual environment or container if you prefer isolation. 2) The code will perform HTTP requests to SKILLS_BASE_URL; ensure that env SKILLS_BASE_URL is not pointed to an untrusted host (default is https://skills.sh). 3) Review or run the Python scripts locally first if you want to inspect network traffic or output; no credentials are requested. 4) Minor note: src/__init__.py contains unrelated docstring text (likely leftover) but this looks like harmless leftover metadata rather than malicious behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a51v7yqf9xr0ytr91h1h8gd812yam
894downloads
0stars
1versions
Updated 14h ago
v0.1.0
MIT-0
@hjw21century
latest
Download

Trending Skills

Fetch skills.sh trending rankings and skill details.

Quick Start

# View rankings
今天技能排行榜
Top 10 skills
技能榜单

Query Types

TypeExamplesDescription
Rankings今天技能排行榜 Top 10Current rankings
Detailxxx是什么 xxx介绍Skill details (requires extra packages)

Workflow

- [ ] Step 1: Parse query type
- [ ] Step 2: Fetch data from skills.sh
- [ ] Step 3: Format and display results

Step 1: Parse Query Type

User InputQuery TypeAction
今天技能排行榜rankingsShow top N skills
Top 10 skillsrankingsShow top N skills
xxx是什么detailShow skill details

Step 2: Fetch Data

Fetch Rankings

cd skills/trending-skills
python src/skills_fetcher.py

Requirements:

For basic rankings:

pip install playwright
playwright install chromium --with-deps

For skill details (optional):

pip install beautifulsoup4 lxml requests

Note: --with-deps automatically installs required system libraries.

Fetch Skill Details (Optional)

python src/detail_fetcher.py <skill-name>

Step 3: Format Results

Rankings Output

# Skills Trending

| # | Skill | Owner | Installs |
|---|-------|-------|----------|
| 1 | remotion-best-practices | remotion-dev | 5.6K |
| 2 | react-best-practices | vercel-labs | 5.4K |
| 3 | web-design-guidelines | vercel-labs | 4.0K |

Detail Output (Optional)

# remotion-best-practices

**Owner**: remotion-dev/skills
**Installs**: 5.6K

**When to use**:
[Usage description from skills.sh]

**Rules** (27 total):
- 3d.md: 3D content in Remotion...
- audio.md: Audio processing...

**URL**: https://skills.sh/remotion-dev/remotion-best-practices

Configuration

No configuration required.

Troubleshooting

IssueSolution
Playwright errorRun playwright install chromium
Network timeoutCheck internet connection
Skill not foundVerify skill name on skills.sh

CLI Reference

# Fetch rankings
python skills/trending-skills/src/skills_fetcher.py

# Fetch skill detail (optional)
python skills/trending-skills/src/detail_fetcher.py <skill-name>

Comments

Loading comments...