ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

dakboard

v1.0.1

Manage DAKboard screens, devices, and push custom display data.

0· 544·0 current·0 all-time
byKristopher Clark@krisclarkdev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description request DAKboard API access and the skill only requires a single DAKBOARD_API_KEY environment variable; the included CLI script and SKILL.md implement device/screen listing and pushing metrics/fetch data to dakboard.com, which is proportional to the stated purpose.
Instruction Scope
SKILL.md directs the agent to run the included Python script with specific commands. The script only accesses DAKBOARD_API_KEY, makes HTTP calls to dakboard.com, and does not read or write local files. Minor mismatch: SKILL.md mentions https://dakboard.com/api/ and the script uses both https://dakboard.com/api and https://dakboard.com/api/2 as bases; this appears implementation-specific rather than malicious.
Install Mechanism
No install spec — instruction-only plus a small shipped Python script. Nothing is downloaded or written to disk by an installer, so install risk is low.
Credentials
Only DAKBOARD_API_KEY is required. The code only reads that environment variable and uses it to authenticate requests to dakboard.com. The number and type of environment variables are proportional to the skill's functionality.
Persistence & Privilege
always is false and the skill does not request persistent system privileges or modify other skills/config. It can be autonomously invoked (platform default), which is expected — not a standalone red flag here.
Assessment
This skill appears to do exactly what it says: it uses your DAKBOARD_API_KEY to call dakboard.com and manage devices/screens or push display data. Before installing, consider: (1) Only provide a DAKBOARD_API_KEY you trust and, if possible, a key with limited scope/permissions; (2) The script appends the API key as a query parameter — query params can be logged by proxies or servers, so avoid using a highly privileged key if logs are a concern; (3) Do not pass sensitive personal data or secrets as command arguments because those values will be sent to dakboard.com; (4) If you are concerned about autonomous invocation, keep the skill user-invocable only (disable autonomous use in agent settings); (5) Review the included script yourself (or ask someone trusted) and rotate the API key if you suspect it was exposed. Overall the skill is internally consistent and coherent with its declared purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk975e7eeqybsy2mn3c332kk3an81jzwr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvDAKBOARD_API_KEY

Comments