Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Robotics Programmer
v1.0.0Professional career roadmap platform for robotics and automation engineering with personalized learning paths and specialization guidance.
⭐ 0· 41·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name and description match the SKILL.md and the included OpenAPI spec: both describe a roadmap API for robotics careers. The skill is instruction-only and makes no requests for credentials or local system access — which is plausible for a read-only roadmap service. However, the metadata lacks a clear source/homepage and the SKILL.md references an external platform (toolweb.in, RapidAPI) and pricing plans that typically require API keys; the skill does not declare any required credentials. This mismatch (no declared API key but references to a paid API) is unexpected and worth confirming.
Instruction Scope
The SKILL.md contains API endpoint definitions, request/response examples and usage for generating roadmaps. It does not instruct the agent to read local files, environment variables, or other system state, nor to exfiltrate unrelated data. The instructions are focused on the stated purpose and do not contain open-ended 'gather whatever context you need' directives.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to run. That minimizes on-disk risk — nothing will be automatically downloaded or installed by the skill itself.
Credentials
The skill declares no required environment variables or credentials. That is reasonable for a purely local guidance tool, but inconsistent with the SKILL.md's external-service context and pricing (which commonly require API keys). If the agent or skill will call toolweb.in/RapidAPI endpoints, it likely needs credentials; the absence of declared env vars means either the service is public or the credential requirement was omitted. Confirm whether an API key/secret is needed before providing any credentials.
Persistence & Privilege
The skill does not request persistent presence (always:false) and does not indicate modifying other skills or system configuration. Autonomous invocation is allowed by platform defaults but is not combined here with broad privileges or credential access.
What to consider before installing
This skill appears to be what it says (an API description for a robotics career roadmap) and is low-risk as an instruction-only package, but the developer/source is not clearly identified and the documentation references paid plans and external portals that usually require API keys. Before using or installing: 1) Verify the publisher and a trustworthy homepage or source repository. 2) Confirm the service base URL and whether an API key (or RapidAPI credentials) are required — do not paste secrets into an unknown skill. 3) If you plan to let the agent call the external endpoints, test in a sandbox account or with dummy data first. 4) Check the service's privacy/terms to understand what user assessment data will be stored or shared. Additional information that would raise confidence: a public homepage or source repository, clear instructions for authentication (if required), and an explicit base URL for API calls.Like a lobster shell, security has layers — review code before you run it.
latestvk975v3mwwvvy1v6b63njwb2a4583rksd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.