ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

System Administrator

v1.0.0

Professional System Administration Career Roadmap Platform that generates personalized career development paths based on skills assessment and experience level.

0· 64·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md and openapi.json consistently describe a career-roadmap API that accepts assessment data and returns a roadmap. There are no unexpected binaries, credentials, or install steps that conflict with the stated purpose.
Instruction Scope
SKILL.md provides sample requests, responses, and an OpenAPI schema for POST /api/sysadmin/roadmap but does not specify a server/base URL, authentication method, or concrete runtime instructions on where to send requests. It does not instruct the agent to read local files or environment variables. The lack of a host makes the runtime behavior ambiguous: the agent would need a destination to call, which is not provided.
Install Mechanism
No install spec and no code files beyond documentation; this is instruction-only, so nothing is written to disk or downloaded. Low install risk.
Credentials
The skill declares no required environment variables, credentials, or config paths. This is proportionate for a read-only API description. However, because the target endpoint is unspecified, it's unclear whether later configuration (not declared here) would request credentials.
Persistence & Privilege
always:false and no persistence instructions. The skill does not request permanent presence or attempt to modify other skills or system settings.
What to consider before installing
This skill appears to be documentation for an API that generates career roadmaps and does not itself include code or request credentials—so on its face it is low-risk. However: 1) The package has no homepage and the source is unknown—confirm the author/owner identity before trusting it. 2) The OpenAPI file contains no servers/base URL or authentication spec, so you should ask where requests would be sent and what data would be stored or logged; do not send real PII, company secrets, or production identifiers until you know the endpoint and privacy/retention practices. 3) If you plan to enable the agent to call this API, require a fully qualified HTTPS server URL and explicit auth (API key/OAuth) and verify TLS, endpoint ownership, and a privacy policy. 4) Test with synthetic or anonymized data first. If the publisher provides a trustworthy domain, documentation, and clear auth/retention terms, the skill is reasonable to use; otherwise proceed cautiously or decline.

Like a lobster shell, security has layers — review code before you run it.

latestvk970bz0x7zmqqy10570z8s7jvs83epjr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments