ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawbridge - Find your connections

v3.0.0

Run Clawbridge discovery from OpenClaw chat

0· 1.9k·8 current·9 all-time
byLee L@leethebuilder
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description match its behavior: it runs the 'clawbridge' CLI, parses stdout for VAULT_URL and counts, and replies in chat. Requiring the 'clawbridge' binary is proportionate to this purpose.
Instruction Scope
SKILL.md only instructs the agent to exec 'clawbridge run' and parse its stdout — that's within scope. However, running a local binary gives that binary full discretion to perform network I/O, upload data to the vendor, or access local resources; the skill does not constrain or audit what the runner does. Users should treat the CLI's behavior (not the skill) as the primary data-exfiltration/privilege risk.
!
Install Mechanism
The recommended install is 'curl -fsSL https://clawbridge.cloud/install | bash' (remote script piped to shell). This is a high-risk install pattern because it runs arbitrary code fetched at install time. Although the domain matches the project's homepage, piping installers to bash from a remote URL is inherently risky and should be inspected before running.
Credentials
The skill requests no environment variables, no config paths, and only requires the 'clawbridge' binary — which is proportional to its stated purpose.
Persistence & Privilege
The skill is not always-enabled and is user-invocable; it does not request persistent system-wide privileges or modify other skills' configs. Allowing autonomous model invocation is the platform default and present here, but not by itself a red flag.
What to consider before installing
This skill itself is a thin chat shortcut that execs your local 'clawbridge' CLI and posts the Vault URL — that's expected behavior. Before installing or using it: (1) Avoid running the provided installer blindly — inspect https://clawbridge.cloud/install before piping it to bash or prefer manual installation from a verified release; (2) Understand that executing 'clawbridge run' may cause the runner to access network resources and upload data to the vendor (the skill will surface the returned VAULT_URL), so review the runner's documentation and privacy model and consider running it in an isolated environment if you have sensitive data; (3) Confirm the installer and runner code provenance (GitHub repo, release artifacts, checksums) if you need higher assurance. If you cannot or will not inspect the install script, treat installing this skill as higher risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bqeh132nywaxd8svj3jw8rd80empx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌉 Clawdis
Binsclawbridge

Comments