ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Chatgpt Apps

v0.1.1

Complete ChatGPT Apps builder - Create, design, implement, test, and deploy ChatGPT Apps with MCP servers, widgets, auth, database integration, and automated deployment

3· 2.1k·2 current·2 all-time
byPrompt Circle@hollaugo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (ChatGPT Apps builder) matches the SKILL.md: it provides step-by-step workflows for designing, implementing, testing, and deploying apps. There are no declared env vars or binary requirements that are unrelated to building/deploying apps.
Instruction Scope
Instructions stay within app-building scope (generate project files, tool handlers, widgets, tests, Dockerfile, deploy to Render). They tell the agent to generate and run setup.sh/START.sh and to configure connectors/auth. They do not instruct reading arbitrary system files or exfiltrating data, but they do assume the agent/user will provide external service credentials during auth/deploy steps (Auth0/Supabase/Render/ChatGPT connector).
Install Mechanism
This is an instruction-only skill with no install spec and no code files — minimal install risk (nothing will be written or executed by the platform as part of installing the skill).
Credentials
The skill declares no required environment variables (none requested). However, the workflows explicitly reference third-party services (Auth0, Supabase, Render, ChatGPT connector) that will require credentials to configure and deploy; those are not requested by the skill itself but will be needed to complete some steps. Expect to supply service API keys/IDs during use — the skill does not automatically collect them.
Persistence & Privilege
always:false and user-invocable:true (normal). The skill does not request permanent presence or modify other skills; it only instructs the agent to generate project files in the user's workspace if the user asks it to.
Assessment
This skill is an instructions-only builder for ChatGPT Apps and is internally consistent. Before using it: 1) Be prepared to provide deployment and auth credentials yourself (Auth0, Supabase, Render, ChatGPT connector) — the skill won't silently grab them. 2) When the agent generates files (setup.sh, START.sh, Dockerfile, server code), review those scripts and the produced code before executing them locally or deploying to production. 3) Use least-privilege/test credentials for deployment and auth during development (avoid pasting production secrets). 4) If the workflow references external generators or SDKs (e.g., chatgpt-mcp-generator, @modelcontextprotocol/sdk), verify you trust those tools and inspect any downloaded packages before running. 5) Consider running generated code in an isolated environment (container or VM) for testing. If you want, I can highlight exactly which generated files or commands you should review first and what to look for in them.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fgtmvw14sv3ak7gt8ezh9fx809z6v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments