ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

LM Studio

v1.0.0

Run and integrate LM Studio with local model lifecycle control, OpenAI-compatible APIs, embeddings, and MCP-aware workflows.

0· 210·1 current·1 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description match the instructions: this is an instruction-only skill for operating LM Studio and integrating local OpenAI-compatible endpoints. Required binaries (curl, jq) are appropriate. However, the SKILL.md frontmatter declares a configPaths entry (~/lm-studio/) while the registry metadata reported no required config paths — that mismatch is an inconsistency (likely sloppy metadata) worth flagging because the skill expects to read/write a directory in the user's home.
Instruction Scope
The runtime instructions stay within the stated purpose: reachability checks, model lifecycle (using lms if present), API recipes against http://localhost:1234, and templates for ~/lm-studio/memory.md. The skill explicitly instructs the agent to create and update files under ~/lm-studio/. It does not request secrets or external endpoints by default and repeatedly warns to keep MCP/remote servers off unless the user asks.
Install Mechanism
No install spec and no code files: instruction-only. This is low risk from an install perspective because nothing is downloaded or written by an installer. The agent will run local commands (curl, lms) but the skill doesn't pull external artifacts itself.
Credentials
The skill declares no required environment variables or credentials and the instructions avoid asking for secrets. It does reference optional local tools (lms, llmster) but these are reasonable for the described tasks and do not imply unrelated credential access.
!
Persistence & Privilege
Although always:false (not force-included) and autonomous invocation is the platform default (not a standalone red flag), the skill instructs creating and maintaining persistent files under ~/lm-studio/. The registry metadata did not declare required config paths even though the SKILL.md does — that discrepancy affects expectations about what will be written to disk. Consider whether you want an agent that can autonomously write persistent notes and known-good configurations in your home directory.
What to consider before installing
This skill appears to do what it claims (manage and test a local LM Studio runtime), but you should be aware it will read and write files under ~/lm-studio/ and run local commands (curl, optionally lms/llmster). Before installing: 1) Confirm you're comfortable with the skill creating ~/lm-studio/ files (memory.md, server-notes, etc.). 2) Note the registry metadata does not declare the config path even though SKILL.md references it — treat that as a metadata inconsistency. 3) Only enable MCP/remote servers if you explicitly trust the remote endpoint; the skill warns against adding untrusted MCP servers. 4) Because it's instruction-only, there is no bundled code to audit beyond the markdown — if you want tighter safety, run the agent with user-invocation-only or test inside an isolated account/container. 5) Verify the provenance (owner slug/homepage) and ensure any required CLI tools (lms) are from trusted sources. If you want, I can extract the exact file write/read operations this skill will perform so you can review them line-by-line before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk976d3hh5wkay381v9xykhdmhx82srb2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧪 Clawdis
OSLinux · macOS · Windows
Binscurl, jq

Comments