ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

html-publisher

v1.0.1

将 HTML 内容发布为在线网页并返回可访问的 URL。当用户想把 HTML 发布上线、生成分享链接、或需要把网页内容转为公开 URL 时调用。

0· 51·0 current·0 all-time
byAIconductor@huyi9531
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md explicitly requires running a 'gnomic' CLI to upload HTML, but the skill metadata lists no required binaries and provides no install spec. Declaring no binaries is inconsistent with the stated purpose of invoking gnomic.
!
Instruction Scope
Instructions tell the agent to read local HTML files and run 'gnomic content html2url' which will upload content to a remote service and return a public URL. That matches the stated purpose, but the exact remote endpoint/service is not defined (example URL uses ts.fyshark.com), so it's unclear what external host will receive the content. Reading local files is expected, but uploading arbitrary HTML (possibly sensitive) to an unknown public endpoint is a privacy risk.
!
Install Mechanism
There is no formal install spec, yet the doc suggests installing 'gnomic-cli' globally via 'npm install -g gnomic-cli' and links to a GitHub repo. Installing an npm package globally executes third‑party code; the skill should have declared this dependency or provided a vetted install spec. The npm package source and maintainer were not validated in the skill metadata.
Credentials
The skill requests no environment variables, credentials, or config paths, which is proportionate to an instruction-only publisher that uses a local CLI and uploads data. No unexplained secrets are requested.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent privileges or system-level configuration changes in the metadata.
What to consider before installing
This skill is instruction-only but depends on a third-party CLI (gnomic/gnomic-cli). Before installing or using it: 1) Verify the npm package name and author and review the gnomic-cli source on GitHub to ensure it's trustworthy. 2) Understand that running the commands will upload whatever HTML you provide to a remote host (example URL uses ts.fyshark.com) — do not publish sensitive content. 3) Prefer testing with non-sensitive dummy pages first. 4) If you need stronger guarantees, install gnomic-cli in a sandbox or inspect its code locally rather than running a global npm install. 5) Consider asking the skill author/source for clarification about which service/endpoint is used for hosting and for an install spec that the skill metadata should declare.

Like a lobster shell, security has layers — review code before you run it.

latestvk9715jyedkvywm09v6jre6mzwd842vr3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments