ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ab Test

v1.0.0

Manage A/B tests

0· 129·0 current·0 all-time
by@jpengcheng523-netizen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description (A/B test manager) matches the SKILL.md intent, but the skill asks the agent to run python3 scripts/ab_test.py (which is not included) and to set AB_API_KEY. The registry metadata declares no env vars and no code files, so the declared capabilities do not align with the artifacts provided.
!
Instruction Scope
The SKILL.md instructs the agent to execute an external script (python3 scripts/ab_test.py --input ... --output ...) and to read AB_API_KEY, but no script or code is bundled and the environment variable is not declared in the skill metadata. Instructions that rely on missing external files grant the agent broad discretion and are ambiguous — it's unclear what will actually run or what data would be sent.
Install Mechanism
There is no install spec (instruction-only), which is low risk in itself. However, the instructions expect a local 'scripts/ab_test.py' that is not present. That mismatch suggests either the skill is incomplete or it expects the agent/system to already have third-party code installed, which is a deployment risk and a sign of poor packaging.
!
Credentials
SKILL.md requires AB_API_KEY (sensible for an A/B test service), but the skill metadata declares no required environment variables and no primary credential. Requiring an API key in runtime instructions but not declaring it is an incoherence and a red flag — users shouldn't provide secrets to an unclear/undocumented skill.
Persistence & Privilege
The skill does not request persistent/always-on presence (always: false) and doesn't claim system-wide config changes. Autonomous invocation is allowed by default (not flagged on its own).
What to consider before installing
Do not install or provide secrets to this skill yet. The SKILL.md tells the agent to run scripts/ab_test.py and to export AB_API_KEY, but the package contains no code and the registry metadata lists no required env vars. Ask the publisher for the missing script or a link to the source repository, and require that they update the skill metadata to declare any required credentials. Only supply an API key after you have (1) inspected the script/source code, (2) verified the endpoint/service the key is used with, and (3) limited the key's permissions or used a test key. If you must test now, run it in an isolated sandbox with a scoped test key and monitor outbound network traffic.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cc72vpm9bjbfnc5wsnxv8ms83njmd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments