ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

physics-simulator

v1.0.0

Simulate physics experiments

0· 78·0 current·0 all-time
by@jpengcheng523-netizen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md claims the skill 'Simulate physics experiments' and gives a usage command that runs scripts/physics_simulator.py, but the package contains no code files or install steps. A simulation skill would normally include the simulator code, a remote API endpoint, or an install spec; none are present, so it's unclear how the skill actually performs simulations.
!
Instruction Scope
The instructions explicitly tell the agent to run a local Python script path (scripts/physics_simulator.py) and to export SIMULATION_API_KEY. The skill bundle contains no such script and the declared requirements list no env vars, so the runtime instructions reference files and secrets that are not part of the skill — this mismatch could cause an agent to attempt arbitrary local commands or request secrets without a clear target.
Install Mechanism
There is no install spec (instruction-only), which is low-risk in general. However, the usage assumes a Python script exists in the environment; without install instructions or code, the skill is incomplete and relies on external, unspecified artifacts being present on the host.
!
Credentials
The SKILL.md asks users to set SIMULATION_API_KEY, but the registry metadata lists no required environment variables or primary credential. Requesting an API key is plausible for a simulator that calls a remote service, but because no endpoint, provider, or credential declaration is present, the need for this secret is unexplained.
Persistence & Privilege
The skill does not request always-on presence and uses default autonomous invocation settings. There is no evidence it requests elevated persistence or attempts to modify other skills or system-wide settings.
What to consider before installing
This skill appears incomplete and inconsistent. Do NOT provide any API keys or secrets to it yet. Before installing or enabling: 1) Ask the publisher for the simulator code, source repo, or a clear remote API endpoint and documentation explaining what SIMULATION_API_KEY is for. 2) Verify that scripts/physics_simulator.py (or an install step) is included — if not, treat the skill as non-functional. 3) If you must test, run it in an isolated/sandboxed environment and monitor network activity. 4) Prefer skills that declare required env vars and include code or an install spec; if the author cannot explain the missing pieces, avoid using the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk9797xr2esv2060ee2rzmj38ps83ncaj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments