ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Magyar Formázás

v1.0.0

Formáz magyar dátumokat, számokat, pénzösszegeket, telefonszámokat és címeket a helyi magyar szabályok szerint.

0· 156·0 current·0 all-time
by@izsook
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the declared behavior (date, number, currency, phone, address formatting). However, the SKILL.md lists scripts (scripts/format_date.py, scripts/format_number.py, etc.) and reference files (references/*.md) that are not present in the package manifest — an inconsistency between claimed artifacts and the actual bundle.
Instruction Scope
The runtime instructions are limited to formatting rules and small example functions; they do not request credentials, system files, or network access. Still, the doc references external script files and reference docs that the agent would presumably rely on, but those files are missing from the skill, which makes the instructions incomplete.
Install Mechanism
No install spec and no code files are present (instruction-only). This minimizes the risk of arbitrary code being written to disk or executed during install.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. The SKILL.md does not reference hidden env vars or secrets. Requested access is proportional to the stated purpose.
Persistence & Privilege
The skill is not forced-always (always: false) and uses default autonomous invocation settings. There is no indication it attempts to modify other skills or system-wide settings.
What to consider before installing
This skill appears to do what it says (Hungarian formatting) and requests no credentials or installs, so the immediate risk is low. However, the SKILL.md mentions scripts and reference files that are not included in the package and the source/homepage is unknown — this could mean the skill is incomplete or the registry entry is inaccurate. Before installing or enabling: (1) ask the publisher for the missing scripts/references or a homepage/source link; (2) test the skill on non-sensitive sample data to verify output; (3) avoid sending real PII until you confirm the implementation; and (4) prefer a skill package that includes the promised files or points to a trusted repository so you can review the actual code. If the publisher cannot provide the missing artifacts or a trustworthy source, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk972fy95k9ddq8rjjdr93bshms834kc3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments