ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

logo-generator

v1.0.0

Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.

0· 42·0 current·0 all-time
by@hucy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The package name/metadata (logo-generator) does not match the SKILL.md, which documents a GitHub `gh` CLI integration. This mismatch suggests a packaging or metadata error (or possible misdirection).
Instruction Scope
The SKILL.md stays within a clear scope (running `gh` commands to inspect PRs, runs, and use `gh api`). It does not ask to read unrelated system files or exfiltrate data. However it assumes a local `gh` CLI and authenticated GitHub access without declaring that requirement.
Install Mechanism
Instruction-only skill with no install spec or code files; nothing is written to disk by the skill itself. Low install risk, but also means no provenance information is provided.
!
Credentials
The skill declares no required binaries or environment variables, but the runtime instructions require the `gh` CLI and an authenticated GitHub session (token stored by gh). The needed credential/access method is implicit and not documented, which is disproportionate to the declared requirements and obscures where credentials are used.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings; autonomous invocation is allowed (default) but is not by itself a new concern here.
What to consider before installing
Do not install or enable this skill until the metadata mismatch is resolved. The SKILL.md clearly expects the GitHub `gh` CLI and an authenticated GitHub session, but the package is named 'logo-generator' and declares no dependencies or credential requirements. If you still want to use it: 1) verify the skill's source and author (origin is 'unknown'); 2) ensure `gh` is installed and you are comfortable with how it stores authentication (gh stores tokens locally/OS credential store); 3) test in a safe account or environment (no sensitive repos) to confirm behavior; 4) avoid supplying additional env vars or secrets to the skill — the SKILL.md does not ask for any but it will implicitly use your `gh` auth; and 5) ask the publisher to fix the name/metadata and explicitly document required binaries and authentication. The mismatch could be an innocent packaging mistake, but it could also indicate sloppy or malicious packaging, so treat it with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk973xym9ra91mhdbwz9fb52teh84dbed

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments