ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nocodb

v0.1.0

Access and manage NocoDB databases via v3 REST API. Use for managing workspaces, bases, tables, fields, views, records, and more. Supports filtering, sorting...

0· 90·0 current·0 all-time
byTransfen@jkmchinese·duplicate of @darkphoenix2704/nocodb-official
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, SKILL.md, and included script all implement a NocoDB v3 CLI that talks to the NocoDB REST API. However, the skill registry metadata claims no required env vars or binaries while the script explicitly requires NOCODB_TOKEN (and optionally NOCODB_URL/NOCODB_VERBOSE) and depends on curl and jq. That mismatch is likely an oversight but is disproportionate to the declared metadata.
Instruction Scope
SKILL.md instructs the user to set NOCODB_TOKEN and (optionally) NOCODB_URL/NOCODB_VERBOSE and documents CLI commands that operate only against the NocoDB API. The runtime instructions and examples stay within the described purpose and do not request unrelated system data or send data to unexpected endpoints.
Install Mechanism
There is no install spec; the skill ships an included shell script (scripts/noco.sh) and usage documentation. No remote downloads or archive extraction are performed, so install risk is low. The presence of an executable script means the agent will run bundled code rather than only following prose.
!
Credentials
The script requires NOCODB_TOKEN (and optionally NOCODB_URL/NOCODB_VERBOSE) to operate, which is appropriate for a NocoDB client. But the registry metadata lists no required env vars and no primary credential — an inconsistency. Also, the script uses curl and jq without declaring them as required binaries. The token grants access to your NocoDB account; ensure the token's scope/permissions are minimal and intended for this use.
Persistence & Privilege
The skill is not marked always:true and is user-invocable only. It does not request persistent agent-wide privileges or modify other skills. Autonomous invocation is allowed (platform default) but not combined with other alarming flags.
What to consider before installing
This skill appears to be a legitimate NocoDB v3 CLI, but the registry metadata fails to declare the real runtime requirements. Before installing or running it: 1) Verify you are willing to provide an API token (NOCODB_TOKEN) and consider creating a token with minimal permissions or a temporary token. 2) Ensure the runtime environment has curl and jq available (the script will fail otherwise). 3) Inspect the bundled script (scripts/noco.sh) yourself (it is included) to confirm it contacts only your NocoDB instance (default https://app.nocodb.com or the NOCODB_URL you set). 4) Be cautious with commands that upload or read local files (attachment upload will read a file path you supply). 5) Ask the publisher to update registry metadata to list required env vars and binaries — lack of that information is the main incoherence here.

Like a lobster shell, security has layers — review code before you run it.

latestvk9783xhgss9dkvwaxkh4kqky1h83e1vt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments