ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

breadcrumb-generator

v1.2.0

When the user wants to add, optimize, or audit breadcrumb navigation. Also use when the user mentions "breadcrumbs," "breadcrumb trail," "breadcrumb nav," "b...

0· 116·0 current·0 all-time
by@kostja94
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the instructions: the SKILL.md provides SEO/UX guidance, HTML examples, and JSON-LD schema for breadcrumb navigation. The content and examples are coherent with a breadcrumb-generation/audit skill.
!
Instruction Scope
The instructions explicitly say to 'Check for project context first' and to read .claude/project-context.md or .cursor/project-context.md if they exist. Those file reads are outside the declared requirements and can surface unrelated project metadata or secrets. The SKILL.md also references other internal docs/skills (schema-markup, serp-features, article-page-generator) without specifying where they live or how to access them, which is open-ended.
Install Mechanism
No install spec and no code files — instruction-only skill. This minimizes disk-write and supply-chain risk.
!
Credentials
The skill declares no required env vars or config paths, but the runtime instructions direct reading specific hidden project files. Asking to read these files is a form of configuration/data access that should have been declared (requires.configPaths). This mismatch increases the chance of unexpected data access.
Persistence & Privilege
always is false and the skill does not request persistent presence or elevated privileges. It does not declare actions that would modify other skills or global agent settings.
What to consider before installing
This skill appears to do what it says (breadcrumb guidance and schema), but it tells the agent to read hidden project files (.claude/project-context.md and .cursor/project-context.md) although no config paths or permissions are declared. Before installing: (1) inspect those files in any repo where the agent will run — ensure they don't contain secrets or unrelated private data; (2) ask the skill author to explicitly declare required config paths (or make file access optional) so you can make an informed decision; (3) if possible, run the skill in a sandbox or on a non-sensitive project first; (4) limit the agent's autonomy or deny access to repositories containing credentials or sensitive information. If you can't verify the contents of the referenced files, treat the file-reading instruction as a potential data-leakage risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk970abwar4rpmwvwvbnfe90f5183v535

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments