ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Neta Suggest

v0.1.0

Neta API research and recommendation skill — provide keyword/tag/category suggestions, validate taxonomy paths, and power multi‑mode content feeds, supportin...

0· 105·0 current·0 all-time
byHu Xiuhan@huxiuhan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes a taxonomy/tag/content-suggestion CLI (neta-cli) and the commands/invocations in the document align with that purpose. However, the registry metadata claims no required env vars or binaries while the instructions explicitly require NETA_TOKEN and a neta-cli/npm package, so the metadata and runtime instructions are inconsistent.
Instruction Scope
The runtime instructions are scoped to using neta-cli commands (suggest_keywords/tags/categories/content) and installing an npm package. The SKILL.md does not instruct the agent to read unrelated files, system paths, or to exfiltrate arbitrary data; it stays within the described content-recommendation domain.
Install Mechanism
There is no formal install spec in the registry; the SKILL.md tells users to globally install @talesofai/neta-skills (npm/pnpm). Global npm installs are common for CLIs but they run code from the npm registry (postinstall scripts, etc.). This is expected for a CLI skill but is a moderate-risk action that should be verified (check the package source, maintainers, and published files before installing globally).
!
Credentials
The instructions require a NETA_TOKEN environment variable, but the skill metadata lists no required env vars or primary credential. Requesting a token is proportionate for an API-backed CLI, but the omission from the declared requirements is a mismatch that reduces transparency and could lead to inadvertent token exposure. Confirm what NETA_TOKEN provides access to and whether its scope is limited before supplying it.
Persistence & Privilege
The skill is not marked always:true and does not declare modifications to system-wide configs or other skills. It is user-invocable and may be invoked autonomously by the agent (platform default), which is normal for skills.
What to consider before installing
This skill appears to be a CLI wrapper for a content/taxonomy recommendation service and the instructions are consistent with that. Before installing or providing credentials: 1) Verify the package @talesofai/neta-skills exists on npm and inspect its repository/homepage and recent publish history; 2) Confirm what NETA_TOKEN is (which service it authenticates, what permissions/scopes it grants) and avoid supplying a broad or long-lived token; 3) Prefer installing in a controlled environment (container or non-production machine) or avoid global (-g) installs until you audit the package; 4) Ask the skill author or registry for missing metadata (required env vars and homepage/source) — the metadata should list NETA_TOKEN if it is required; 5) If you must proceed, limit token scope and rotate/revoke it if you later remove the skill or suspect misuse.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ara2r1t0ty519a0jrqca3f5832zfc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments