ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Satellite Comm

v1.0.0

Professional entry-level satellite communication engineering career roadmap platform that generates personalized learning paths based on skills assessment.

0· 53·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md and openapi.json align: the skill is an API-driven career roadmap generator and defines a POST /api/satcom/roadmap request/response. It does not request unrelated binaries, environment variables, or installs. However, the API specification lacks a servers entry and any security definition, and the skill has no homepage or clear source — provenance is unknown.
!
Instruction Scope
Runtime instructions explicitly ask the agent to submit assessmentData including experience, userId and session metadata to the API. The SKILL.md and openapi.json do not specify the base URL, transport security (HTTPS), or any authentication/authorization. That means the agent could transmit identifiable or sensitive user data to an unspecified external endpoint — a privacy/exfiltration risk.
Install Mechanism
No install spec and no code files to run locally reduce execution footprint: this is instruction-only and does not write code or third‑party packages to disk.
Credentials
The skill declares no required environment variables or credentials (proportionate). However, it asks for structured personal/assessment data (userId, experience, sessionId) to be sent to an external API without specifying security. The absence of declared auth combined with collection of PII is a privacy concern.
Persistence & Privilege
always is false and there is no indication the skill requests persistent system privileges or modifies other skills/config. Autonomous invocation is allowed (platform default) but that alone is not flagged.
What to consider before installing
This skill appears to do what it says (generate career roadmaps) but it asks you to submit personal assessment data to an unspecified external API and the package provides no provenance, no servers, and no authentication or privacy details. Before installing/use: (1) Ask the publisher for the service base URL, a privacy policy, and how data is stored/retained; (2) confirm the API uses HTTPS and requires authentication (securitySchemes in the OpenAPI) so data is not sent to an unauthenticated endpoint; (3) avoid sending real PII (use anonymized or synthetic data) until you verify the backend and owner; (4) prefer skills from known sources or with source links and a verifiable homepage; (5) request that the OpenAPI include servers and security schemas so the agent can't unknowingly POST sensitive info to an unknown host. If the provider cannot answer these, treat this skill as risky for any sensitive or identifying data.

Like a lobster shell, security has layers — review code before you run it.

latestvk9718yg31st8nqwag8mkagqp1983h65v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments