Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Find Docs

v0.1.0

Retrieves authoritative, up-to-date technical documentation, API references, configuration details, and code examples for any developer technology. Use this...

⭐ 0· 78·2 current·2 all-time

byCakekritsanan@kritsanan1

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Benign

medium confidence

✓

Purpose & Capability

Name/description (find docs, return up-to-date documentation and examples) matches the instructions: use the ctx7 CLI to resolve library IDs and fetch docs. The skill does not request unrelated environment variables or strange binaries.

ℹ

Instruction Scope

SKILL.md tells the agent to run ctx7 CLI commands (ctx7 library and ctx7 docs) and to limit attempts to 3 per question. It explicitly warns not to include secrets in queries. The instructions do not ask the agent to read unrelated files or exfiltrate arbitrary data, but they do instruct executing networked CLI commands (and optional OAuth login) which will contact external services.

Install Mechanism

There is no install spec in the skill bundle; instead the runtime instructions tell the user/agent to install or npx ctx7@latest from npm. Running npm install -g or npx will download and execute code from the npm registry; the SKILL.md does not provide a homepage, repository, or verification guidance for the ctx7 package. This is a proportional dependency for a CLI-based doc lookup, but it carries moderate risk unless the package origin is verified.

✓

Credentials

The skill requires no environment variables to operate and only mentions an optional CONTEXT7_API_KEY for higher rate limits (and OAuth login). Requesting an optional API key for rate limits is proportional to its purpose; the SKILL.md explicitly discourages including secrets in queries.

✓

Persistence & Privilege

The skill does not request persistent 'always' presence and does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not combined with unusual privileges.

Assessment

This skill is internally coherent: it describes a documentation lookup and tells the agent to call a CLI (ctx7) to fetch docs. The main risk is the CLI itself — the SKILL.md asks you to install or npx ctx7@latest from npm but does not provide a repository, homepage, or publisher identity. Before installing or giving the agent permission to run the CLI, verify the ctx7 package and its publisher (npm page, GitHub, official docs). Prefer using npx (temporary run) or running the CLI in a sandbox, avoid global installs unless you trust the package, and do not supply API keys or secrets in queries (the skill already warns about this). If you cannot verify the ctx7 package source, consider disallowing the agent from running external commands and ask it to answer from training data instead.

Like a lobster shell, security has layers — review code before you run it.

latestvk973fgwcxg1vbtgqa4k598ef9583a77w

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Find Docs

License

Comments