Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (media export, conversion, distribution) align with the included TypeScript implementation: package creation, validation, packaging, and simulated uploads. No unrelated environment variables, binaries, or credentials are requested. Minor mismatch: SKILL.md uses api.executeAction names like 'delivery-distribution.export' while the code registers a 'delivery' command API, which is an inconsistency between documentation and implementation.
Instruction Scope
SKILL.md instructions stay within the stated domain and show API calls for export/distribute/package. The implementation logs, manages in-memory packages, and returns mock file paths (/tmp/...). It does not read arbitrary system files or environment variables in the visible portion. However, the SKILL.md's action names don't match the registerCommand names in the code, and the source file provided in the listing is truncated — the remaining code (not shown) could contain additional instructions (network calls, credential access, or external endpoints).
Install Mechanism
No install spec is present. The package is TypeScript source with no runtime dependencies in package.json; build requires tsc (devDependency). This is low-risk from install perspective. Note: SKILL.md mentions TypeScript compilation but no automated install/build is provided — ensure the runtime environment can compile/run the code.
Credentials
The skill declares no required environment variables, no primary credential, and no config paths. The visible code does not attempt to access environment variables or secrets. This is proportionate to its stated purpose as a local packaging/distribution helper.
Persistence & Privilege
always is false and the skill is user-invocable. It registers commands via the skill API (normal). The visible code does not modify other skills or system-wide settings. No elevated privileges are requested in the visible code.
What to consider before installing
Things to consider before installing:
- The visible code appears coherent and does not request credentials or perform network calls, but the index.ts listing was truncated in your package dump. Obtain and review the complete index.ts to ensure there are no hidden network uploads, credential reads, or external endpoints.
- SKILL.md references api.executeAction names that don't match the registerCommand names in the code; confirm the intended integration surface so the agent will call the real entry points.
- The implementation mostly returns mock /tmp paths and simulates uploads — it does not actually integrate with platform APIs in the visible code. If you need real uploads, expect to add platform-specific authentication and API integration; verify where credentials would be stored and that they're limited in scope.
- Ensure the runtime environment can safely compile/run TypeScript (tsc) and that writing temporary files under /tmp is acceptable and cleaned up — watch for sensitive data being written to world-readable temp locations.
- If you cannot review the remaining source, run the skill in a sandboxed environment and monitor outbound network traffic and file system activity before granting it access to production data or credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97fcvg88e8qt6pzdgvfk8w5ds836mp1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🚚 Clawdis