ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Configure Telerik NuGet

v1.1.0

Helps setup, configure and manage Telerik NuGet feeds in your repo's nuget.config file.

0· 77·0 current·0 all-time
byLance McCarthy@lancemccarthy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md defines a PowerShell function that sets a user-level environment variable and edits/creates nuget.config to add a Telerik feed — this is consistent with the skill's described purpose. However the registry metadata earlier lists no required binaries while the SKILL.md frontmatter declares required_binaries: pwsh and dotnet. That metadata mismatch is an inconsistency that could confuse automated checks or users installing the skill.
Instruction Scope
The instructions stay within the stated purpose: they create/update nuget.config and set credentials to use an environment variable rather than a hardcoded secret. The function also sets a user-level environment variable persistently (Environment.SetEnvironmentVariable with 'User'), which is a side-effect users should be explicitly warned about — the SKILL.md does warn to restart the terminal, but does not discuss security trade-offs.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing is downloaded or written by an installer step. That lowers install risk.
!
Credentials
No credentials are required up-front, which is fine, but the runtime instructions ask the user to provide an API key that the function will store as a persistent user-level environment variable. Persisting secrets in user environment variables can expose them to other user processes and is a broader access surface than storing secrets in a protected credential store or CI secret manager. Also dotnet was declared as required in SKILL.md frontmatter though it isn't used by the script, suggesting over-broad declared requirements.
Persistence & Privilege
The skill will write (or modify) nuget.config in the specified path and write a user-scoped environment variable (which updates the user's environment registry on Windows). This is normal for a configuration helper, but it is a persistent change to the user's environment and filesystem that the user should review before running.
What to consider before installing
This skill appears to do what it says (add a Telerik NuGet feed and configure credentials), but review a few points before installing/using it: - The SKILL.md expects PowerShell (pwsh) and declares dotnet in its frontmatter, but the registry metadata shows no required binaries — verify pwsh is available and be aware of this metadata mismatch. - The function will persist the provided API key as a user-level environment variable (Environment.SetEnvironmentVariable with scope 'User'). Persisting secrets in environment variables can expose them to other processes and is less secure than using an OS credential manager, encrypted nuget.config, or CI secret storage. Consider alternatives or set the variable only for the current session. - The script writes/overwrites ./nuget.config (or a custom path you supply). Inspect the script and back up your nuget.config before running it. If you decide to proceed: supply the API key only after reviewing the script, or run it in a disposable/test environment first. If you need higher assurance about secret handling, prefer solutions that use credential stores or CI secrets rather than persistent user env vars.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d4e0jrt644eysshcbyn3rpx8395m8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments