ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Test

v0.0.1

AList file management API for OpenClaw. Supports upload, download, list, mkdir, rm, mv, search, and offline download. Trigger: User asks about file managemen...

0· 64·0 current·0 all-time
byKinema.@leeshunee
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (AList file management) matches the commands described in SKILL.md, but the skill metadata declares no required env vars or binaries while the instructions clearly expect ALIST_URL/ALIST_USERNAME/ALIST_PASSWORD and a local Python CLI. Either the metadata is incomplete or the runtime will fail or prompt for credentials unexpectedly.
!
Instruction Scope
SKILL.md instructs the agent to run `python scripts/alist_cli.py` and references `references/openapi.json` and environment variables. None of those files or env variables are declared in the skill manifest. The instructions therefore direct the agent to access local files and secrets that are not provably provided by the skill.
Install Mechanism
There is no install spec (instruction-only), which is lower risk in itself. However, the instructions assume a local Python script and possibly a preinstalled CLI; because those files are not bundled or installed, the agent may try to fetch them or fail. No external downloads are declared.
!
Credentials
SKILL.md asks for ALIST_URL, ALIST_USERNAME, and ALIST_PASSWORD — credentials that are reasonable for an AList integration — but the skill's manifest lists no required environment variables. This mismatch increases the risk of unexpected credential prompts or manual entry without clear provenance.
Persistence & Privilege
The skill does not request always: true and has no install steps that write to system config. It does not ask for system-level privileges in the manifest.
What to consider before installing
This skill's README looks like a wrapper for an AList CLI, but the package doesn't include the Python script or declare the environment variables it needs. Before installing or enabling it: 1) Ask the publisher for the missing files (scripts/alist_cli.py and references/openapi.json) or for a documented install procedure. 2) Confirm how and where you'd supply ALIST_URL/ALIST_USERNAME/ALIST_PASSWORD (manifest should declare required env vars). 3) Only provide credentials to trusted, verifiable source code — review the CLI code or run it in an isolated environment. 4) If the skill attempts to download code at runtime or prompts for credentials without an authoritative source, do not proceed. Providing the missing code and aligning the manifest with SKILL.md would raise confidence; as-is, the inconsistencies are suspicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dfdscdby53q9s9qmd0f2trn83wqa4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments