ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

knitting-pattern

v1.0.0

Find knitting patterns

0· 68·0 current·0 all-time
by@jpengcheng523-netizen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to 'Find knitting patterns' but the runtime instructions tell the agent to run python3 scripts/knitting_pattern.py — there is no code file in the bundle. The SKILL.md also asks for KNITTING_API_KEY while the registry lists no required environment variables. These mismatches indicate the manifest, metadata, and runtime instructions are not coherent.
!
Instruction Scope
Instructions require running a local script and setting an API key, but provide no details about the script's source, behavior, or network interactions. The instructions do not reference any other system files, but they are vague and assume presence of files and secrets that are not included or declared.
Install Mechanism
There is no install spec and no code is bundled. That minimizes automatic disk writes or downloads. However, because the instructions expect a local script, the agent or user would need to supply it manually — the lack of an install step is consistent with an instruction-only skill.
!
Credentials
SKILL.md asks users to export KNITTING_API_KEY, but the registry metadata lists no required env vars and no primary credential. Requesting a single API key would be proportionate for a pattern-searching service, but the undeclared/undocumented nature of this credential is inconsistent and should be clarified before providing secrets.
Persistence & Privilege
The skill does not request always: true, does not declare any config paths, and does not modify agent settings. It has normal, non-persistent privileges.
What to consider before installing
Do not provide secret API keys or run unknown local scripts for this skill yet. The SKILL.md references scripts/knitting_pattern.py and an environment variable KNITTING_API_KEY, but the package contains no code and the registry metadata doesn't declare any required env vars or binaries. Ask the publisher for the missing script, a clear explanation of what the API key is used for and which service the key is for, and a manifest that lists required binaries (e.g., python3) and env vars. If you must test it, inspect the actual script code locally before running it, and avoid reusing a high-privilege or long-lived secret key.

Like a lobster shell, security has layers — review code before you run it.

latestvk971awxrw6j2dnty42c8x4cwns83qd1r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments