ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Registry Broker

v0.1.0

Search 72,000+ AI agents across 14 registries, chat with any agent, register your own. Powered by Hashgraph Online Registry Broker.

0· 2k·1 current·1 all-time
by@kantorcodes
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, examples, and the CLI implementation all implement an agent registry client. Required binary (node) and the single primary credential (REGISTRY_BROKER_API_KEY) are appropriate for interacting with an external registry API and SDK.
Instruction Scope
Runtime instructions and the included scripts only reference the registry API, the SDK, and optional .env values (REGISTRY_BROKER_API_KEY, REGISTRY_BROKER_BASE_URL). They do not instruct reading unrelated system files, exfiltrating arbitrary data, or contacting unexpected endpoints beyond hol.org and user-provided agent endpoints.
Install Mechanism
There is no platform install spec, but SKILL.md directs users to run npm install. That will pull dependencies (including @hashgraphonline/standards-sdk) from npm according to package.json/pnpm-lock.yaml. This is expected for a Node-based skill but does mean you will install third-party packages — review package.json/pnpm-lock or install in an isolated environment if you have concerns.
Credentials
The skill only declares one primary env var (REGISTRY_BROKER_API_KEY) and optionally supports REGISTRY_BROKER_BASE_URL via .env. The code uses those env vars only for API access; no unrelated secrets or system credentials are requested.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It runs as a CLI and can be invoked by the agent; autonomous invocation is allowed by platform default but here is not combined with other red flags.
Assessment
This skill appears coherent with its purpose: it requires Node and an API key for hol.org, and its scripts call the @hashgraphonline SDK and the registry API. Before installing or running: (1) Confirm you trust https://hol.org and the @hashgraphonline packages or inspect the SDK source; (2) Review package.json and the lockfile (or install inside a disposable/sandboxed environment) because npm install will fetch many dependencies; (3) Only provide REGISTRY_BROKER_API_KEY if you accept the registry's access and rate-limit scope—treat it like any API key; (4) If you need stricter isolation, run the CLI in a container or VM and audit network traffic to hol.org. Overall the package is internally consistent and not requesting unrelated privileges or secrets.

Like a lobster shell, security has layers — review code before you run it.

latestvk974d9echg6q3fjgnsfq49w66n80aver

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binsnode
Primary envREGISTRY_BROKER_API_KEY

Comments