ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OTPly

v1.0.0

Email OTP Service - Simple, Fast, Reliable

0· 31·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description, SKILL.md, and openapi.json consistently describe an email OTP API with endpoints to register, login, send OTP, verify OTP, and view usage — that aligns with the stated purpose. However the skill does not provide a base server URL or any provenance/homepage/source to confirm where the API is hosted, which is unexpected for an API integration.
!
Instruction Scope
The SKILL.md documents requests that require X-API-Key and X-API-Secret headers and shows example payloads, but it does not instruct how the agent should obtain or store those credentials. The instructions do not include the API base URL or server to call, so they are incomplete and leave the agent ambiguous about where to send requests. There are no instructions that access local files or unrelated system state.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to execute, which is low risk from an installation perspective.
!
Credentials
The documented API requires X-API-Key and X-API-Secret for most endpoints, but requires.env/primaryEnv are empty — the skill does not declare any environment variables or credential inputs. That mismatch is incoherent: an integration that needs API credentials should document how they are supplied (env vars, prompts, secret storage).
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and is user-invocable only. No elevated or persistent privileges are requested.
Scan Findings in Context
[no-findings] unexpected: The regex scanner found no code patterns because this is an instruction-only skill (SKILL.md and openapi.json). The absence of findings is not evidence of safety; the openapi lacks servers and the SKILL.md omits credential provisioning, which are functional/provenance concerns.
What to consider before installing
This skill documents an OTP API but is incomplete and of unknown origin. Before installing or using it: (1) ask the publisher for the API base URL (openapi.json has no servers) and confirm the service domain and HTTPS endpoints; (2) confirm how you should provide X-API-Key and X-API-Secret (environment variables, secret store, or interactive prompt) — the skill currently doesn't declare them; (3) prefer skills with a verifiable homepage, source repository, or published package; (4) treat OTP data and API credentials as sensitive — don't upload real credentials until you trust the provider and have verified TLS and a privacy policy; (5) if the publisher cannot provide clear provenance and a server URL, avoid using the skill in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cv8wwgazrt0satepgkr7shh842vke

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments