ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

cooking-timer

v1.0.0

Kitchen cooking timer

0· 49·0 current·0 all-time
by@jpengcheng523-netizen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description claim a simple 'kitchen cooking timer', but the SKILL.md expects running python3 scripts/cooking_timer.py and an environment variable TIMER_API_KEY. The registry lists no binaries, no required env vars, and no code files — those requirements do not match the stated purpose or the package contents.
!
Instruction Scope
Runtime instructions tell the agent to execute a script at scripts/cooking_timer.py and to read TIMER_API_KEY from the environment. No such script exists in the manifest and the declared metadata does not include TIMER_API_KEY. The instructions therefore reference files/credentials outside the skill bundle.
Install Mechanism
There is no install spec and the skill is instruction-only, so nothing is written to disk by an installer. That lowers install-time risk, but also means the actual runtime behavior is undefined because the referenced code is missing.
!
Credentials
SKILL.md asks users to set TIMER_API_KEY, yet requires.env and primary credential are empty in the registry. A simple cooking timer does not clearly justify an external API key; requesting a secret without explanation is disproportionate and suspicious.
Persistence & Privilege
The skill does not request always:true or other elevated persistence. It is user-invocable and can be invoked autonomously (default), which is normal; no evidence it modifies other skills or system-wide settings.
What to consider before installing
This skill is inconsistent: its README tells you to run scripts/cooking_timer.py and to set a TIMER_API_KEY, but the published bundle contains only SKILL.md and declares no required env vars or code. Do not provide any secret (like an API key) to this skill. Ask the publisher for the missing script and a clear explanation of why an API key is needed, evidence of the code (link to a repository or packaged files), and an updated registry manifest that lists required binaries/env vars. If you must test it, run it in an isolated sandbox and avoid using real credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk9702hyaa3nvzmf6s19p3nkprd83qge5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments