ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skillcraft

v1.0.0

Design and build OpenClaw skills. Use when asked to "make/build/craft a skill", extract ad-hoc functionality into a skill, or package scripts/instructions for reuse. Covers OpenClaw-specific integration (tool calling, memory, message routing, cron, canvas, nodes) and ClawHub publishing.

7· 3k·16 current·16 all-time
by@jmz1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (skill designer for OpenClaw) matches the content: the SKILL.md and pattern files are templates and guidance for packaging skills, routing, cron, memory, and publishing. No unrelated binaries, env vars, or install steps are requested.
Instruction Scope
The runtime instructions tell the agent to inspect available skills, workspace files, and to place state under `{baseDir}`/`<workspace>`. This is expected for a skill-authoring guide, but it means the agent will read other skills and workspace files when following these instructions — review those reads if you have sensitive data in workspace files or other skill bodies.
Install Mechanism
No install spec and no code files — instruction-only. This is the lowest-risk install profile (nothing is downloaded or written by an installer).
Credentials
The skill declares no required environment variables or credentials. It does provide guidance for how skill authors should *store* secrets (env vars, keychain, 1Password CLI), which is advisory and not a request for secrets from the runner.
Persistence & Privilege
always:false and no config paths requested. The skill recommends locations for skill-local state files but does not request global agent configuration changes or persistent privileges.
Assessment
This skill is an authoring guide and is internally consistent. Because it instructs agents to read other skills and workspace files, review any workspace content and other skills for sensitive data before using it to auto-extract or package code. The skill itself asks for no credentials and performs no installs, but be cautious if you follow its guidance to add state files or to request environment variables later when authoring new skills — never hardcode secrets into SKILL.md or published skill files, and review any resulting SKILL.md or install steps before publishing or installing. If you do not want agents to autonomously create/publish skills, consider controlling invocation or review outputs manually.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d9eqjnx17ct3kvacgsyp60180whvv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧶 Clawdis

Comments