ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pget

v1.0.0

Parallel file download and optional tar extraction using the pget CLI (single URL or multifile manifest). Use when you need high‑throughput downloads from HTTP(S)/S3/GCS, want to split a large file into chunks for speed, or want to download and extract a .tar/.tar.gz in one step.

0· 1.5k·0 current·0 all-time
by@kelvincai522
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the provided instructions: everything focuses on downloading files (single or manifest) and optional tar extraction. No unrelated environment variables, binaries, or config paths are requested.
Instruction Scope
SKILL.md stays on-topic: it instructs how to run pget, how to supply a manifest or stdin, and how to tune concurrency and extraction. The only file reads referenced are user-supplied manifests or destinations necessary for download; there are no instructions to read unrelated system files or secrets.
Install Mechanism
references/pget.md includes installation commands that download a binary from GitHub releases and a Homebrew tap (replicate/pget). Those are expected for a CLI tool and are standard. Note: the curl install uses sudo to write to /usr/local/bin — running such install commands requires privilege and you should verify the release source and checksums before running.
Credentials
The skill requests no environment variables or credentials. Options like --resolve are CLI flags for pget and do not imply hidden credential access. The lack of secrets or config-path requirements is proportionate for a downloader tool.
Persistence & Privilege
The skill does not request always:true and is user-invocable. It does not attempt to modify other skills or system-wide settings. Autonomous model invocation is allowed (platform default) but not combined with any broad privileges here.
Assessment
This skill is an instruction-only wrapper for the pget CLI and looks internally consistent. Before installing or running the suggested curl command, verify the GitHub release/source (replicate/pget) and, if available, verify checksums or use Homebrew which is safer for macOS. Be aware that the "-x" in-memory extraction can consume large amounts of RAM for big archives, and manifest/STDIN input runs whatever URLs you provide — only download from trusted sources. If you plan to run install commands that write to /usr/local/bin with sudo, review the binary first or prefer a package manager.

Like a lobster shell, security has layers — review code before you run it.

latestvk9733524jd2y8tgsdn4dvg48q580j71w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments