ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI Capability Analyzer

v1.2.2

智能分析用户需求并推荐最适合的ClawHub技能,提供实时技能搜索、安全评估和使用建议。

0· 48·0 current·0 all-time
bylordest@jxyyjm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims real-time LLM-based requirement understanding and live ClawHub search (3,286+ skills) and VirusTotal integration, but the packaged code contains a small static local database and simulated API responses. README and SKILL.md give different corpus sizes (1,588 vs 3,286+). This mismatch suggests the packaging/documentation doesn't match the claimed live capabilities.
!
Instruction Scope
SKILL.md instructs running node analyze.cjs and mentions update-skills-db.sh and analyze.sh, but those scripts are not present. SKILL.md also claims local-only processing 'unless cloud API enabled' but requires OPENAI_API_KEY (primary) in metadata; the code sample does not use OPENAI_API_KEY (no LLM calls visible) and instead falls back to local DB and simulated ClawHub responses. The instructions thus request keys and tools beyond what the code actually does and reference missing files.
Install Mechanism
No install spec is provided (instruction-only), so nothing will be downloaded/installed by the platform. A code file (analyze.cjs) is included and executed by node — this is consistent with a minimal, local Node.js script and low install risk.
!
Credentials
Registry metadata requires OPENAI_API_KEY and CLAWHUB_API_KEY with OPENAI_API_KEY marked primary. In SKILL.md the CLAWHUB_API_KEY is described as optional, and analyze.cjs only checks CLAWHUB_API_KEY for simulated API behavior; there is no use of OPENAI_API_KEY in the visible code. Requesting a primary OpenAI credential while the code doesn't call an LLM is disproportionate and worth clarifying. Also the skill mentions VirusTotal integration yet provides no VirusTotal env var requirement.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request elevated or persistent platform privileges. No evidence it modifies other skills or system-wide config.
What to consider before installing
This package is inconsistent: documentation promises live LLM and ClawHub API features (and VirusTotal checks), but the included code uses a small local database and simulates API results. Before installing or providing secrets, ask the author to explain why OPENAI_API_KEY is required (the code doesn't call an LLM in the provided files) and whether CLAWHUB_API_KEY is optional. Avoid supplying high-privilege keys until you confirm they are necessary; if you must test it, run it in a sandboxed environment, provide least-privilege or ephemeral API keys, and rotate them after testing. Also request missing referenced scripts (update-skills-db.sh, analyze.sh) or an explanation for the discrepancy between docs and code.

Like a lobster shell, security has layers — review code before you run it.

latestvk97babk9kza52yjjzpkr875dfx83zgrk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binscurl, jq, node
EnvOPENAI_API_KEY, CLAWHUB_API_KEY
Primary envOPENAI_API_KEY

Comments