ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Neta Space

v0.1.0

Neta API space and world‑view browsing skill — browse worldbuilding, sub‑spaces, and playable content by space/hashtag. Use this skill when the user talks ab...

0· 133·0 current·0 all-time
byHu Xiuhan@huxiuhan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and runtime instructions align: this is a browse/query skill for the Neta API. However, the package/source provenance is missing (no homepage or source), and the SKILL.md requires tooling (@talesofai/neta-skills and neta-cli) that are not declared in registry metadata. That mismatch weakens confidence in provenance.
Instruction Scope
The SKILL.md limits runtime actions to listing spaces and fetching space/collection/character details via neta-cli commands. It does not instruct reading arbitrary host files or exfiltrating data beyond the Neta API/CLI workflow.
Install Mechanism
There is no install spec in the registry (instruction-only), but the SKILL.md instructs global npm/pnpm installs of @talesofai/neta-skills and use of neta-cli. Installing global npm packages is a reasonable way to get a CLI but can execute arbitrary install scripts — and the package origin isn't linked from the skill metadata, so you should verify the package on the npm registry and inspect its contents before installing.
!
Credentials
SKILL.md explicitly requires NETA_TOKEN, but the registry metadata lists no required env vars or primary credential. That inconsistency is notable: the skill will need an API token to function but doesn't declare it. Requesting an API token for the Neta service would be proportional, but the missing declaration and unknown package/source make this a risk to review.
Persistence & Privilege
The skill does not request always:true, does not claim to modify other skills or system settings, and is user-invocable with normal autonomous invocation allowed. Nothing here is unusually privileged.
What to consider before installing
This skill appears to be a straightforward browser for the Neta API, but there are a few red flags to clear up before installing or providing credentials: 1) SKILL.md says you must set NETA_TOKEN but the skill metadata does not declare it—expect the skill to ask for an API token at runtime. 2) The skill tells you to install @talesofai/neta-skills and neta-cli globally, but the registry entry has no homepage/source; verify the npm package (@talesofai/neta-skills) and neta-cli project on the official registries and inspect their code or README before running global installs. 3) Prefer creating a scoped/limited NETA_TOKEN (least privilege) if you proceed. 4) Avoid blindly running global npm installs; review package install scripts and publish history. If the publisher/source or a homepage can be provided (or the registry metadata updated to declare NETA_TOKEN), that would raise confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aazgwgpf5ve2nv6we2dsr0983263h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments