ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

helpdesk

v1.0.0

Helpdesk ticketing system

0· 51·0 current·0 all-time
by@jpengcheng523-netizen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The declared purpose (helpdesk ticketing) matches the requested TICKET_API_KEY in SKILL.md, but the registry metadata lists no required env vars or binaries. Asking for an API key is reasonable for a helpdesk integration, yet the manifest failing to declare it is an incoherence that reduces trust.
!
Instruction Scope
SKILL.md tells the agent to run: `python3 scripts/helpdesk.py --input <input> --output <output>`, and to set TICKET_API_KEY. However, the skill bundle contains no scripts or code files. The instructions therefore reference files and runtime actions that are not present in the package — a clear mismatch and a vector for confusion or hidden behavior if the agent attempts to fetch or run external code.
Install Mechanism
There is no install spec (instruction-only), which is low risk in itself. However, the usage depends on `python3` and a local script; the manifest claims no required binaries. This is likely an oversight but is inconsistent with the runtime instructions.
!
Credentials
The SKILL.md asks users to set TICKET_API_KEY, which is appropriate for a ticketing integration, but the skill's declared requirements list no environment variables and no primary credential. The mismatch between declared and actually required secrets is concerning because it hides the true credential needs.
Persistence & Privilege
The skill does not request elevated persistence: always is false, no install steps modify agent config, and there are no config paths requested. Autonomous invocation is allowed (platform default) but is not combined here with other high privileges.
What to consider before installing
Do not install or run this skill as-is. The SKILL.md tells the agent to run a local script (scripts/helpdesk.py) and to use TICKET_API_KEY, but the package contains no code and the registry metadata lists no required env vars or binaries — this inconsistency could cause the agent to attempt to fetch or execute external code or to mis-handle credentials. Ask the publisher for the missing files and a clear explanation: provide the helpdesk script, the exact API endpoint(s) it talks to, and update the manifest to declare required binaries (python3) and required env vars. Only provide real API keys after you verify the code and the service endpoint. If you can't get those clarifications, treat the skill as untrusted and avoid supplying credentials or running commands it suggests.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cajha45bed8knfndnkmaarh83mbyt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments