ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

state-machine

v1.0.0

Manage state machines

0· 75·0 current·0 all-time
by@jpengcheng523-netizen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description claim to 'Manage state machines', which is reasonable, but the SKILL.md instructs running python3 scripts/state_machine.py and setting MACHINE_API_KEY — yet the skill bundle contains no scripts, no install, and the registry metadata lists no required env vars. The requested pieces (a script and an API key) are not present or declared, so the manifest doesn't align with the claimed capability.
!
Instruction Scope
Runtime instructions tell the agent to execute a local Python script path (scripts/state_machine.py) and to set MACHINE_API_KEY. Because no script files are included, the instructions are either incomplete or expect external artifacts. The instructions also reference an environment secret that could be read/transmitted, but that env var is not declared in the skill metadata.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which minimizes direct installation risk. However, the absence of the referenced script reduces usability and creates ambiguity rather than reducing risk.
!
Credentials
SKILL.md asks users to export MACHINE_API_KEY, yet the registry metadata declares no required env vars and no primary credential. Requesting an API key without declaring it in the manifest or explaining what service the key is for is disproportionate and unexplained.
Persistence & Privilege
The skill does not request always-on presence and does not modify other skills or system settings. No elevated persistence privileges are requested in the manifest.
What to consider before installing
Do not install or run this skill until the author fixes the inconsistencies. Ask the publisher to: (1) include the referenced scripts/state_machine.py (or remove the usage), (2) add any required environment variables (MACHINE_API_KEY) to the registry metadata with an explanation of what service the key is for and why it's needed, and (3) document any external endpoints or network calls. Avoid exporting sensitive credentials globally; instead, provision test credentials in a safe environment or inspect the provided code before providing real secrets. If you must try it, run inside a sandboxed environment and verify the code and network activity first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97evv4pkcr5s1c3ypzvwr056x83m7m2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments