ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ab-test-analyzer

v1.0.0

Analyze A/B test results

0· 80·0 current·0 all-time
by@jpengcheng523-netizen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to 'Analyze A/B test results' and shows a usage line that runs python3 scripts/ab_test_analyzer.py, implying shipped code. However, the package contains no code files and the registry metadata lists no required env vars or credentials. Asking to run a local script is inconsistent with an instruction-only skill that provides no script.
!
Instruction Scope
SKILL.md directs execution of a specific local script path and tells the user to set AB_API_KEY, but does not explain what the API key is for or where the script comes from. The instructions therefore tell the agent to access a file and an environment secret that are not present or declared, which expands scope beyond what's packaged.
Install Mechanism
There is no install spec (instruction-only), which is the lowest install risk. That said, because the instructions expect a local Python script, the agent could attempt to execute arbitrary Python if such a file exists in the environment—this is a consequence of the missing code rather than an installer issue.
!
Credentials
The SKILL.md asks users to set AB_API_KEY but the skill metadata lists no required environment variables or primary credential. The purpose doesn't justify an undeclared secret; it's unclear what service the key would grant access to and why an API key is necessary for a simple analyzer.
Persistence & Privilege
The skill does not request persistent or elevated privileges (always is false, no config paths, no install). Autonomous invocation is allowed by default, which is normal and not by itself a concern here.
What to consider before installing
Do not provide secrets or run the skill yet. The package contains only a SKILL.md that instructs running 'scripts/ab_test_analyzer.py' and exporting AB_API_KEY, but there is no script or declared env var in the published bundle. Ask the publisher for the actual code or a link to a repository, and for details about what AB_API_KEY is (which service it belongs to and why it is needed). If you must test, inspect the script source first and avoid using real/privileged API keys—use a throwaway key or sandbox. If you already have a file at 'scripts/ab_test_analyzer.py' in your environment, be cautious: the agent could execute it, so verify its contents before allowing the skill to run.

Like a lobster shell, security has layers — review code before you run it.

latestvk9730v9yjzxbzsaavj5nzgt9x583h1at

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments