ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

A11y Audit Migrated

v1.0.0

Skill migrada desde examples - a11y-audit con capacidades completas

0· 79·0 current·0 all-time
byJosé Cuevas@jacr6
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description claim a full-featured a11y audit, but the package contains no code, no declared dependencies, and no environment configuration; examples reference local modules under ~/.opencode/skills rather than providing an implementation. The requested resources do not match the claimed 'complete capabilities'.
!
Instruction Scope
SKILL.md contains only metadata and usage examples with placeholders; it does not define concrete, scoped runtime steps. Examples require local modules and an 'OptimizedSubagent' with an open-ended execute() body, which is effectively granting broad discretion to run arbitrary code if those modules exist. Instructions are vague and could lead the agent to load/execute unknown local code.
Install Mechanism
No install spec and no code files are included, which minimizes direct installation risk. Nothing will be written or downloaded by the skill as provided.
Credentials
The skill declares no environment variables, credentials, or config paths. There are no disproportionate secret requests in the manifest.
Persistence & Privilege
Flags are default (not always), and there is no indication the skill requests permanent presence or modifies other skills or system settings.
What to consider before installing
This SKILL.md looks like documentation/examples rather than a working skill. Before installing or enabling it: 1) ask the publisher for the actual implementation files or a link to a trusted code repository; 2) verify whether the referenced local modules (e.g., ~/.opencode/skills/...) exist and inspect their code — they could execute arbitrary local code; 3) avoid running or granting the skill access to sensitive data or credentials until you see its code and dependency list; 4) if you want to test, do so in an isolated environment (container or VM) and review any code for network calls or file access. The main risk here is vagueness and hidden behavior, not an explicit exploit in the provided files.

Like a lobster shell, security has layers — review code before you run it.

latestvk9787mj6n8qffr3hw1fkwa8wr183xcyw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments