ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SSL Certificate Manager

v1.0.0

Automate SSL certificate generation and management with DNS challenge validation and certificate provisioning.

0· 91·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the provided endpoints (dns-challenge, generate-certificate, debug, download). However, a real certificate management API normally requires explicit authentication, a base URL/server, and integration details for DNS or DNS-provider APIs; none are declared. The absence of required credentials or configuration is unexpected for this capability but could be a minimal or local-only stub.
!
Instruction Scope
SKILL.md instructs calling endpoints that can issue certificates and download private keys, but it does not (a) specify the API base URL or auth method, (b) provide secure handling guidance for private keys, or (c) limit where downloaded keys should be stored or transmitted. The instructions are otherwise limited to HTTP API use and DNS TXT record guidance; they do not request reading local files or unrelated system data.
Install Mechanism
This is an instruction-only skill with no install spec and no code to write to disk, which is low-risk from an installation standpoint.
!
Credentials
The skill declares no required environment variables or credentials. That is unusual for a certificate provisioning API that issues private keys and certificates — typically some form of auth (API key, token) or DNS-provider credentials would be required. The lack of declared secrets or auth is an unexplained omission and increases the chance the skill is incomplete or misdocumented.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not declare permissions to modify other skills or system settings. Agent autonomy is enabled by default (not a unique risk here).
What to consider before installing
This skill appears to describe a certificate-management API but omits critical operational details. Before installing or using it: 1) Ask the publisher for the API base URL and authentication method — do not assume requests are to a trusted host. 2) Confirm how private keys are handled: never fetch or store private.key into shared agent logs or third-party endpoints; require secure, private storage and transport (HTTPS, access controls). 3) Verify the provider's identity and reputation (homepage, documentation, TLS certs for the API host). 4) Prefer skills that explicitly declare required credentials (API key or OAuth) and include a servers field in openapi.json. 5) If uncertain, avoid using the download endpoint through the agent; manage private keys via your own infrastructure or vetted tooling. These gaps could be benign (incomplete docs or a local-only stub) but also could mask misuse — proceed only after clarifying the missing pieces.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a0bfatc73kvhxz655daf0cx83ed0z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments