ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

security scanner

v1.0.7

Scan AI agent skills for security vulnerabilities, dangerous code patterns, and undeclared permissions. Three-layer analysis: dependency CVE scanning, static...

0· 130·0 current·0 all-time
byclaw0x@kennyzir
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description state it will scan skills for vulnerabilities and undeclared permissions; the SKILL.md and handler.ts implement exactly that by calling the Claw0x Gateway API. Requested artifacts (repo_url, skill_slug, code) and the single required env var (CLAW0X_API_KEY) match the stated purpose.
Instruction Scope
Runtime instructions and examples consistently instruct the agent to POST skill data (repo URL or code) to https://api.claw0x.com/v1/call. There are no instructions to read unrelated local files or other environment variables. This is expected, but it does mean user code/metadata will be sent to a third-party service — a privacy-sensitive action that the user should be aware of.
Install Mechanism
Instruction-only skill with no install spec. The included handler.ts is a small network wrapper (uses fetch) and does not write to disk or download/extract remote archives. Low installation risk.
Credentials
Only CLAW0X_API_KEY is required (declared in SKILL.md metadata and enforced by handler.ts). That single credential is proportional to a remote service wrapper. Users should still treat the key as sensitive because it authorizes requests that may transmit code to the external API.
Persistence & Privilege
always is false and the skill does not request elevated privileges, nor does it modify other skills or global agent config. Model invocation is allowed (the platform default), which is appropriate for a callable scanner.
Assessment
This skill forwards provided repo URLs or code to the Claw0x Gateway (https://api.claw0x.com). That behavior matches its purpose but has privacy implications: do not send secrets, credentials, or private data you cannot share. Before installing, verify you trust Claw0x (review privacy/security docs), use a dedicated/limited API key, rotate the key if leaked, and prefer a local scanner for highly sensitive code. Review the included handler.ts (it only reads CLAW0X_API_KEY and POSTs the input) and consider network controls (allowlist api.claw0x.com) and logging to detect unexpected usage.
handler.ts:9
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cjqmx889d6wc80cp0342w6983h8gz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments