ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawclub

v0.1.0

Use this skill when the user wants to create or join private communities and interest groups within the OpenClaw ecosystem. Triggers on "create a group", "fi...

0· 127·0 current·0 all-time
byLifegamer@ivankoriako
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to analyze 'user profiles (stored locally)' and perform 'cross-agent communication', but the package declares no required config paths, no environment variables, and provides no implementation. The mention of a 'clawhub install' command is inconsistent with the absence of an install spec or required binary.
!
Instruction Scope
SKILL.md instructs the agent to perform profile matching and agent-to-agent interactions but gives no specifics about which local files or directories are read, how profiles are formatted, or what network endpoints/protocols are used. That vagueness could allow the agent to read arbitrary local data or open communications without clear boundaries.
Install Mechanism
This is an instruction-only skill with no install spec or code files (lower installation risk). However, the README-like instructions reference 'clawhub install clawclub' despite there being no declared installer or required binary, which is an inconsistency to clarify.
!
Credentials
No environment variables, credentials, or config paths are declared, yet the skill claims to access local profile data and coordinate between agents. If the skill needs access to profile stores or network credentials, those should be declared; absence of declared access makes the stated functionality ambiguous and possibly under-specified.
Persistence & Privilege
Flags show default behaviour (always: false, user-invocable true) and no install-time persistence or system-wide config changes are declared. There is no evidence it requests elevated or permanent presence.
What to consider before installing
This skill is currently vague and marked 'Coming soon.' Before installing or enabling it: 1) Ask the author for the concrete implementation (source or package) and where it will be installed. 2) Request an explicit list of which local files/directories the skill will read (profile stores, paths) and whether your agent will prompt before access. 3) Ask how agent-to-agent communication works (what network endpoints/protocols, any central broker), and verify the privacy claim that 'no central server' is used. 4) Clarify the 'clawhub install' step and confirm whether any binaries will be added to your system. If you can't get clear answers, avoid installing it or run it only in a restricted test environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dhc3e5hp7mmjv3jtska3ghn836bxj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments