ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

LINE OpenAPI Skill

v1.0.0

Operate LINE Messaging API through UXC with a curated OpenAPI schema, bearer-token auth, and messaging-core guardrails.

0· 145·1 current·1 all-time
by@jolestar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, included OpenAPI schema, and SKILL.md all consistently target the LINE Messaging API core surfaces (bot info, profile, push/reply messages, webhook endpoint management) and use 'uxc' as the execution layer. The only minor incoherence is that the SKILL.md expects a channel access token but the registry metadata lists no required env vars.
Instruction Scope
SKILL.md gives narrow, concrete runtime instructions: require 'uxc' on PATH, network access to https://api.line.me and the schema URL, link a fixed CLI, inspect operation schema, and prefer read/validate before write operations. It includes explicit guardrails (require user confirmation for writes, replyToken rules) and does not instruct reading unrelated files or transmitting data to unexpected endpoints.
Install Mechanism
This is instruction-only (no install spec), so nothing arbitrary is downloaded or installed by default. The included schema is local and the SKILL.md references a raw.githubusercontent.com URL (a known host) if users want the hosted copy. The validation script requires 'rg' and 'jq' but those are only used for local validation and not automatically installed.
!
Credentials
Operational instructions explicitly show configuring a bearer credential that uses the environment variable LINE_CHANNEL_ACCESS_TOKEN, but the skill's registry metadata lists no required env vars or primary credential. That mismatch is an incoherence: the skill will need a secret (LINE channel access token) to operate, yet the manifest doesn't declare it. No other unrelated credentials are requested.
Persistence & Privilege
The skill is not 'always' enabled and is user-invocable; model invocation is allowed (the platform default). It does not request system-wide configuration changes, nor does it persist credentials beyond the standard 'uxc auth' binding pattern described in the README.
What to consider before installing
This skill is coherent with its stated LINE Messaging API purpose, but before installing or supplying secrets you should: (1) confirm you are comfortable providing a LINE channel access token — the SKILL.md expects one (LINE_CHANNEL_ACCESS_TOKEN) even though the registry metadata omitted it; (2) prefer creating a scoped/limited channel token for this skill and avoid using long-lived/fuller-permission tokens; (3) review the included references/line-messaging.openapi.json to ensure no unexpected endpoints are present; (4) verify you have a trusted 'uxc' binary on PATH before running commands; (5) run the provided scripts/validate.sh locally (it requires ripgrep 'rg' and 'jq') to validate file coherence; (6) do not paste your token into chat messages — configure it in your environment or secret manager as the SKILL.md shows; and (7) request the publisher to update the skill metadata to declare the required env var/primary credential so the manifest and runtime instructions match.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a4ff7yd14ejycvkzqbpfgr583374n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments