ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PrivateBin Upload Skill

v1.0.0

Upload content to a PrivateBin instance and return a shareable link. Use when the user wants to share text, code, reports, or files via paste URL with option...

0· 310·0 current·0 all-time
by@kafcoppelia
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the instructions: the SKILL.md explicitly uses the privatebin CLI to create pastes, references the config (~/.config/privatebin/config.json), and supports expected options (expiry, password, burn-after-reading). The package.json dependency on privatebin-cli aligns with the stated purpose.
Instruction Scope
Instructions stay within upload scope (check CLI, read user-provided file or stdin, run privatebin create --output=json, parse paste_url). They do instruct reading a file path supplied by the user and the PrivateBin config file, which is expected; there is an inherent privacy risk because uploads go to the configured host (default privatebin.net or any host the config/flags specify).
Install Mechanism
No install spec is included (instruction-only skill). The README documents normal ways to install the privatebin CLI from known sources (brew, package manager, GitHub releases). Nothing in the skill downloads arbitrary code or writes unexpected files.
Credentials
The skill requests no environment variables, secrets, or unrelated credentials. It operates via the privatebin CLI and the user's PrivateBin config. No excessive credential access is required.
Persistence & Privilege
always:false and no special permissions; the skill does not request persistent or platform-wide privileges and does not modify other skills or global agent settings.
Assessment
This skill appears to do what it says: it relies on your local privatebin CLI and your PrivateBin config to upload content and return a link. Before using it, verify: (1) the privatebin CLI you install comes from the official project or repository, (2) the configured PrivateBin host (~/.config/privatebin/config.json or the --host flag) is trusted — uploads go to that host and may be visible to the host operator, (3) you should not upload secrets or private data unless you intend that recipient/host to have access, and (4) if you want tighter privacy use password protection or burn-after-reading and confirm the paste URL before sharing. The skill itself requests no unrelated credentials and does not perform unexpected actions.

Like a lobster shell, security has layers — review code before you run it.

latestvk9746rdb332k899wttmyh5zgns823dnp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments