ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dooray Hook

v0.1.1

Send automated notifications to Dooray! messenger channels via webhooks.

2· 934·0 current·0 all-time
byKirin Choi@iizs
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description match its behavior: it sends POSTs to Dooray webhook URLs. Declared requirement (python3) and the required config path (skills.entries.dooray-hook.config in ~/.openclaw/openclaw.json) are appropriate and necessary for the stated function. No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md and the script limit activity to reading the OpenClaw config and POSTing JSON to Dooray webhook URLs. Minor note: the skill supports an opt-in 'verify_ssl: false' config which disables certificate verification — this is documented and opt-in but weakens TLS guarantees if used.
Install Mechanism
Instruction-only skill with an included Python script; there is no install/download step, no external packages, and nothing written to disk by an installer.
Credentials
No environment variables or external credentials are requested. The single required config path is proportional (it must read stored webhook URLs). The SKILL.md correctly warns that webhook URLs are secrets and should be protected in the local config file.
Persistence & Privilege
The skill does not request 'always' presence and does not modify other skills or system-wide settings. disable-model-invocation is false (normal), so the agent could invoke the skill autonomously — this is the platform default and not combined with other red flags here.
Assessment
This skill appears to do exactly what it claims: read Dooray webhook URLs from your ~/.openclaw/openclaw.json and POST messages to them. Before installing, ensure: (1) The webhook URLs in your OpenClaw config are stored securely (restrict file permissions, do not commit them to version control). (2) You understand that setting verify_ssl: false disables TLS certificate checks — avoid this unless you trust the network/proxy. (3) The agent may be allowed to call the skill autonomously by default; if you want to prevent automated outbound messages, restrict agent permissions or invocation. If you prefer not to store secrets in a global JSON file, consider keeping webhooks in a more secure secret store or environment mechanism and adapting the script accordingly.

Like a lobster shell, security has layers — review code before you run it.

latestvk97csn4bv8kxw8rbt1abpat5tx8119j7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📨 Clawdis
Binspython3
Configskills.entries.dooray-hook.config

Comments