ClawHub

Pokemon

v1.0.0

CLI for AI agents to lookup Pokémon info for their humans. Uses PokéAPI. No auth required.

1· 1.2k·0 current·1 all-time
by@jeffaf
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill describes a local CLI wrapper (commands like `pokemon`, script paths {skill_folder}/pokemon and scripts/pokemon) and the README shows cloning a GitHub repo, but the package contains only README.md and SKILL.md (no script/executable or install spec). Required binaries (bash, curl, jq) are reasonable for calling the PokéAPI, but the missing wrapper is an incoherence: either the package should include the CLI or the SKILL.md should show how to call the API directly.
Instruction Scope
Runtime instructions only call the local `pokemon` CLI and the PokéAPI (pokeapi.co). They do not request unrelated files, credentials, or other system data. However, because the SKILL.md expects a local executable that isn't present in the package, whoever installs may be instructed (by README) to clone a remote repo and run chmod — introducing an implicit step that isn't part of the packaged instructions.
Install Mechanism
There is no install spec in the package (lowest-risk form). The README suggests cloning https://github.com/jeffaf/pokemon-skill.git and making scripts executable; that is a manual download from an external source. If a user follows those steps, they will run arbitrary code from that GitHub repo — reasonable if the repo is trusted, but the skill package should have been self-contained or provided a verified install source.
Credentials
No environment variables, credentials, or config paths are requested. This is proportional to the stated purpose (public PokéAPI access requires no auth).
Persistence & Privilege
The skill does not request always:true and does not require persistent privileges. It allows autonomous invocation (platform default), which is expected for skills.
What to consider before installing
This skill is plausible for looking up Pokémon data (it just queries pokeapi.co), but the package is incomplete: it refers to a local 'pokemon' CLI/script that is not included. Before installing or running anything: 1) Ask the publisher to provide the executable or a formal install spec, or include the script in the skill package. 2) If you follow the README to git clone the GitHub repo, inspect the repo's scripts first (open the scripts/pokemon file) to verify there is no unexpected network contact, credential collection, or destructive commands. 3) Prefer to run the CLI in a sandbox or VM the first time. 4) Confirm that network calls go only to pokeapi.co (and known raw.githubusercontent.com assets, if present) and that no environment secrets are required. If you cannot verify the remote repo or the script contents, do not run unknown executables on a production machine.

Like a lobster shell, security has layers — review code before you run it.

latestvk972wnys0jkghgsx38qja1g9kn80jv5n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
Binsbash, curl, jq

Comments