ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

My Plane

v1.0.2

Manage Plane.so projects and work items using the `plane` CLI. List projects, create/update/search issues, manage cycles and modules, add comments, and assig...

0· 64·0 current·0 all-time
by@honluk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md clearly targets the Plane.so CLI and requires PLANE_API_KEY and PLANE_WORKSPACE, which are appropriate for the described functionality. However, the registry metadata shown above (no required bins/env) contradicts the SKILL.md metadata that declares a required 'plane' binary and two environment vars.
Instruction Scope
All runtime instructions are limited to installing/running the 'plane' CLI and exporting Plane-related environment variables and base URL. The skill does not instruct the agent to read unrelated files, transmit data to unexpected endpoints, or access other system credentials.
!
Install Mechanism
The install instructions ask the user (and metadata specifies) to download a single executable from a GitHub releases URL and place it in ~/.local/bin. While GitHub Releases is a common host, downloading and running a third‑party native binary without a checksum/signature is higher risk — the archive isn't extracted but arbitrary code will run on the machine.
Credentials
Requested environment variables (PLANE_API_KEY, PLANE_WORKSPACE, optional PLANE_BASE_URL) are proportional to a Plane CLI skill. Note the registry-level requirements were empty but SKILL.md metadata lists them — that inconsistency should be resolved before trusting the skill.
Persistence & Privilege
The skill does not request 'always: true' and does not declare any system config paths or privileges beyond installing a user-local binary. Autonomous invocation remains allowed by default (normal for skills).
What to consider before installing
This skill appears to be a straightforward wrapper around the Plane CLI and needs your Plane API key and workspace slug — which is expected. Two things to check before installing: (1) The SKILL.md metadata requires the 'plane' binary and PLANE_API_KEY/PLANE_WORKSPACE, but the registry summary shows no required env/bins — ask the publisher to reconcile that mismatch. (2) The install method downloads a native executable from a GitHub release with no checksum or signature; only install if you trust the GitHub repo/owner. Safer steps: inspect the repository source, verify release checksums or signatures, prefer official vendor-distributed packages, avoid running as root, and limit the API key scope or rotate it after use. If the author can provide a signed release or reproducible build instructions, that would increase confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk977e0gfgxmkbmtfj4g13yq4e984grfk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments