ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SupaSkills

v1.1.0

Search and load 1,000+ quality-scored expert skills from SupaSkills.ai

0· 523·3 current·3 all-time
byKill The Dragon@ktdmax
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description (search/load SupaSkills prompts) align with the SKILL.md instructions: both describe searching the SupaSkills API and loading a skill prompt to use as expert reference. There is no request for unrelated binaries or services in the instructions.
Instruction Scope
Runtime instructions stay within the stated purpose: they call SupaSkills API endpoints via curl, present results to the user, and instruct the agent to use returned text as reference while not treating it as an override. The instructions do not reference unrelated system files, other credentials, or unexpected external endpoints.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk or fetched during install — lowest-risk install posture.
!
Credentials
SKILL.md requires an API key (SUPASKILLS_API_KEY) and shows curl examples using an Authorization header, which is appropriate for the service. However, the registry metadata lists no required environment variables or primary credential — that mismatch is an incoherence. The skill asks the user to store a secret in env vars (and even documents the key prefix), so the metadata should have declared this. Confirming the API key scope and whether the key can be rotated/revoked is recommended.
Persistence & Privilege
The skill is not 'always' enabled and is user-invocable; model invocation is allowed (normal). There is no install-time persistence or modifications to other skills/configs. Note: autonomous invocation + an external API key increases blast radius if the key is misused, but here that is a standard pattern for API-backed skills.
What to consider before installing
This skill appears to do what it says (search and load SupaSkills prompts) and uses only the SupaSkills API. However, the SKILL.md requires SUPASKILLS_API_KEY while the registry metadata does not declare it — ask the publisher to fix the metadata. Before installing: verify the supaskills.ai domain and publisher (homepage/repo), only supply an API key you control and can revoke, store it in a secrets manager (not checked into git), and consider disabling autonomous invocation for this skill if you don't want the agent to call the third-party API without explicit approval. If you need higher assurance, request the skill's source or API docs and confirm the key's scope and rate limits.

Like a lobster shell, security has layers — review code before you run it.

latestvk9701xqh4r6ryktpjwe8741ns581psdd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments