ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Frontend Developer

v1.0.0

Professional Frontend Development Career Roadmap Platform that generates personalized learning paths and development strategies for aspiring and experienced...

0· 40·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, SKILL.md usage examples, and openapi.json consistently describe a 'Frontend Developer Roadmap' API. Nothing in the bundle asks for unrelated privileges (no env vars, no binaries). However, the package provides no homepage, no server/base URL, no owner contact info beyond an opaque owner ID, and no declared authentication scheme—so it's unclear where or how the API is actually hosted or authorized.
Instruction Scope
SKILL.md limits runtime actions to constructing and sending API requests and describes endpoints and payloads; it does not instruct reading local files, environment variables, or other system state. The notable omission is that it does not specify a base URL/servers entry or any concrete endpoint host to call, nor does it explain authentication/keys—this makes the instructions underspecified and may lead an agent to ask the user for details or to attempt network calls to an unspecified destination.
Install Mechanism
There is no install specification and no code files that would be written to disk; this minimizes installation risk. The skill is instruction-only and therefore has a small local footprint.
Credentials
The skill declares no required environment variables or credentials, which is consistent with a purely informational API description. However, many real APIs require API keys or tokens; the openapi.json contains no security schemes and SKILL.md does not explain authentication. This mismatch (no credential declarations but an API that lists pricing tiers) is worth clarifying before providing any credentials or sensitive data.
Persistence & Privilege
The skill does not request 'always: true' and has no install-time hooks or config modifications. It does not attempt to modify other skills or system settings based on the provided materials.
What to consider before installing
This skill appears to be an instruction-only description of an external 'Frontend Developer Roadmap' API and does not request local permissions or credentials—but important information is missing. Before installing or using it: 1) Ask the publisher for the API base URL (servers) and the domain hosting the service and verify the domain and TLS certificate. 2) Ask whether the API requires an API key or other credentials, and if so, why these are not declared in the skill metadata. 3) Do not submit sensitive data (passwords, cloud credentials, full personal identifiers) to the API until you confirm the service's privacy policy and authentication. 4) Prefer skills that include a verifiable homepage, owner contact, or published source. Given the unknown provenance and missing auth/hosting details, treat this skill as unverified until you obtain that information.

Like a lobster shell, security has layers — review code before you run it.

latestvk978e2rk2kydsa6433p5ecshhx83sfv7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments