Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, SKILL.md, and the TypeScript code all implement an asset/material library (upload, search, versioning, tagging). The functionality requested by the skill aligns with its stated purpose. There are no unrelated requested credentials, binaries, or config paths.
Instruction Scope
The SKILL.md instructions and API usage (api.executeAction, events) stay within the scope of material management. The code uses api.config?.autoTagging and api.log — expected for a skill. No instructions ask the agent to read unrelated system files or exfiltrate environment variables. However, the SKILL.md says TypeScript must be compiled but the package provides no install/build automation or runtime binary requirements, which is an operational inconsistency to resolve.
Install Mechanism
There is no install spec even though the package contains TypeScript source (index.ts) and a package.json. Running this skill would realistically require a TypeScript build step and a Node runtime (or an explicit install flow). The absence of any install/build instructions or declared required binaries (tsc/node) is inconsistent and could lead to runtime errors. Also the index.ts file appears truncated in the listing (trailing 'a …[truncated]'), which may indicate the source is incomplete or corrupted.
Credentials
The skill declares no required environment variables, no primary credential, and no config paths. The code does not access secrets or external credentials; storeFile currently returns a mock token and there are comments about integrating with external storage but no actual external calls. The requested environment access is proportionate to the stated functionality.
Persistence & Privilege
The skill is not flagged always:true and is user-invocable. It does not request persistent system privileges or attempt to modify other skills' configuration. No suspicious persistence behavior is present.
What to consider before installing
This skill appears to implement an in-memory material library and does not request credentials, which is good. However: (1) the package contains TypeScript source but no install/build spec or required runtime (tsc/node) — ask the author how you should build and run it or expect runtime errors; (2) the index.ts listing is truncated in the manifest (ends with a stray 'a …[truncated]'), which could mean the source is incomplete or corrupted — do not deploy until you get the full file; (3) the code contains stubbed comments about integrating external storage (feishu_drive_file) but currently uses a mock token — if you want real storage you will need to confirm what storage service is used and what credentials it requires; (4) request the project homepage / source repo and an install guide or a signed release artifact so you can review the complete code. If you cannot obtain the full source and a clear build/install process, treat this skill as untrusted and test in an isolated sandbox only.Like a lobster shell, security has layers — review code before you run it.
latestvk97cws1y8vha8pjkp7hvb52pzn837164
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📚 Clawdis