ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

v0-cli

v1.0.1

Command-line tool for creating, refining, and listing AI-generated websites using v0.dev API without interactive prompts.

1· 40·0 current·0 all-time
by@hlongvu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The described purpose (CLI for v0.dev) reasonably requires an API key (V0_API_KEY) and Node/npm usage — that part is coherent. However, the registry metadata lists no required env vars or binaries while the SKILL.md explicitly requires Node >=18 and V0_API_KEY, creating a mismatch between claimed requirements and the declared metadata.
!
Instruction Scope
The runtime instructions instruct the agent to run local Node.js code (node /path/to/v0-cli/src/index.js), run `npm install` in this directory, and optionally install a global npm package. But the skill package contains no code files or install spec, so the instructions assume files that are not present in the bundle. That is an incoherence: either code should be bundled or the instructions should point to a verified remote package/source.
!
Install Mechanism
There is no install spec in the skill. The SKILL.md tells users/agents to run `npm install` (and suggests `npm install -g @hlongvu/v0-cli`), which would fetch code from the public npm registry — a supply-chain action not governed by the skill metadata. Because the skill bundle doesn't include the code to inspect, following these instructions would cause network downloads of third-party packages whose contents are not reviewed by this scan.
Credentials
Requesting V0_API_KEY is proportionate to a v0.dev CLI. The problem is the registry metadata omitted required env vars while the SKILL.md requires V0_API_KEY; also there are no other unrelated secrets requested. The omission reduces transparency and prevents pre-install validation.
Persistence & Privilege
The skill is not always-enabled and does not request persistence or elevated privileges. It does not declare modifications to other skills or system-wide config.
What to consider before installing
Do not install or run commands from this skill as-is. The SKILL.md expects a Node.js project and a V0_API_KEY but the skill package contains no code or install spec, and the registry metadata does not declare the required env var. That means: - The skill may be incomplete or a wrapper around a public npm package that the agent would download at runtime; downloading/running npm packages without verifying their source and contents is a supply-chain risk. - Before trusting this skill, ask the publisher for: the source repository or homepage, a concrete install spec (preferably a verified GitHub release or an official npm package name), and that the registry metadata be updated to declare V0_API_KEY and Node as requirements. - If you consider using it, verify the npm package @hlongvu/v0-cli (or whichever package it references) manually: inspect its repository, review published bundle contents, and confirm the exact API calls it makes. - If you only need agent integration, prefer a skill that includes code or an explicit install spec pointing to trusted releases and that declares required env vars in the registry metadata.

Like a lobster shell, security has layers — review code before you run it.

latestvk974dt2s3zcaw7h8ak1pn5z57x844a1g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments