ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Logseq

v1.0.0

Provide commands for interacting with a local Logseq instance through its Plugin API. Use for creating pages, inserting blocks, querying the graph database, managing tasks, retrieving content, or automating workflows in Logseq. Only works with a locally running instance with the API enabled; default port or set path expected for [$API accessible skill].

6· 3.2k·7 current·7 all-time
by@juanirm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the content: everything in SKILL.md documents the Logseq Plugin API and local automation approaches. No unrelated environment variables, binaries, or install steps are requested. The only external dependency mentioned (@logseq/libs via npm) is directly relevant to scripting Logseq.
Instruction Scope
The instructions stay within the stated purpose (reading/writing/querying a local Logseq graph). They recommend two approaches: a bridge plugin that exposes API endpoints over HTTP and using @logseq/libs from Node.js. The bridge approach can expose your local notes if the HTTP endpoint is not carefully bound to localhost or secured; the SKILL.md does not provide guidance on access controls. The docs also show use of logseq.Git.execCommand and other operations that can modify repository files—expected for this purpose but powerful, so be aware these actions modify local data.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing will be written or executed by installing the skill itself. The SKILL.md suggests optionally running `npm install @logseq/libs` for Node.js scripts; that is a normal, proportional dependency for scripting Logseq.
Credentials
No environment variables, credentials, or config paths are requested. This aligns with a local-API skill. Note: performing Git operations against remote repositories may require existing git credentials/config on the host—this is expected behavior, not a hidden credential request.
Persistence & Privilege
The skill does not request persistent presence (always: false) and is user-invocable. There is no code or install that changes other skills or system-wide settings in the package, consistent with an instruction-only helper.
Assessment
This skill is documentation and examples for talking to a locally running Logseq instance — it won't magically connect to remote services or ask for secrets. Before using: (1) only enable or install an HTTP bridge if you bind it to localhost and/or add authentication so other machines can't access your notes; (2) verify any npm package versions (e.g., @logseq/libs) you install come from the official registry; (3) be aware API calls and logseq.Git.execCommand can modify or move your local files—backup important data and ensure you have appropriate git credentials configured if operating on remote repos; (4) because the skill is instruction-only, no code will run until you implement a bridge or run scripts yourself, so review any bridge/plugin code you write or install.

Like a lobster shell, security has layers — review code before you run it.

latestvk9720gn0k3j8jskw46z0e0h40n80adzn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments