ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

json-converter

v1.0.0

Convert JSON to other formats

0· 70·0 current·0 all-time
by@jpengcheng523-netizen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The declared purpose is a simple JSON converter, but the SKILL.md expects running `python3 scripts/json_converter.py` and setting a JSON_API_KEY. The bundle contains no code files and the registry metadata declares no required binaries or env vars, so the capability described is not delivered by the provided package.
!
Instruction Scope
Runtime instructions tell the agent to run a local script path (scripts/json_converter.py) and to export an API key. The referenced script does not exist in the skill, and the SKILL.md asks for a secret (JSON_API_KEY) without explaining why or what external service will receive data—this is scope creep and ambiguous behavior.
Install Mechanism
There is no install spec (instruction-only), which is low risk by itself, but the instructions assume a local Python script and the presence of python3. The skill does not declare python3 or provide the script, so installation/runtime will fail or require out-of-band files.
!
Credentials
SKILL.md instructs the user to set JSON_API_KEY, but the skill metadata lists no required environment variables and gives no justification for a secret. Requesting an API key for a simple conversion tool is disproportionate and could be used to exfiltrate data if the missing script sends data externally.
Persistence & Privilege
The skill does not request persistent presence (always is false) and does not declare modifications to other skills or system settings. Autonomous invocation is allowed by default, which is normal; combine this with the other concerns before enabling.
What to consider before installing
Do not install or provide secrets to this skill yet. The SKILL.md references a local script (scripts/json_converter.py) and a JSON_API_KEY that are not included or declared in the registry metadata. Ask the publisher for: (1) the missing code or an install spec that produces the script, (2) a clear explanation of what JSON_API_KEY is used for and what external endpoints (if any) are contacted, and (3) an updated manifest that declares required binaries (e.g., python3) and any required env vars. Only set an API key if you trust the author and understand where the data will be sent.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a1pc11awtpjrkjmsh8tfffx83qv4d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments