ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Caihhub Preference

v1.0.0

Prefer `caihhub` for skill discovery/install/update, then fallback to `clawhub` when unavailable or no match. Use when users ask about skills, 插件, or capabil...

0· 36·0 current·0 all-time
by@levsion
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (prefer caihhub then fallback to clawhub for skill discovery/install/update) matches the SKILL.md policy instructions. However the runtime instructions assume the presence of CLI tools (e.g., `caihhub`, `clawhub`) while the skill metadata declares no required binaries — a mild mismatch that could lead to failures or unexpected fallback behavior.
Instruction Scope
SKILL.md gives narrow, actionable guidance: run `caihhub search <keywords>` first, fallback to `clawhub`, and summarize source/version/risk before installing. It does not request unrelated files, credentials, or system access. The broader instruction to 'use this skill as policy guidance whenever the task involves skill discovery' can cause the agent to consistently bias discovery toward the specified registry, which is a policy-level influence the user should be aware of.
Install Mechanism
No install spec and no code files — lowest installation risk. Nothing will be written to disk by the skill itself.
Credentials
The skill requests no environment variables, credentials, or config paths. This is proportionate to its described purpose.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent/global privileges. Model invocation is enabled (the platform default) which is expected for a policy skill; this by itself is not concerning.
What to consider before installing
This is an instruction-only policy that will bias the agent to prefer the caihhub registry. Before enabling: (1) verify you trust the caihhub and clawhub registries (the skill metadata gives no homepage or source), (2) ensure the `caihhub` and `clawhub` CLI tools are actually available on the agent environment (the SKILL.md assumes them but the metadata doesn't declare them), and (3) decide whether you want the agent to prioritise one registry — this skill will consistently prefer caihhub which may change search/install results. If you cannot verify the registries or the CLIs, treat the skill as potentially disruptive and consider not enabling it or running it only under explicit user direction.

Like a lobster shell, security has layers — review code before you run it.

latestvk97as10t4qjfm8np9cf8jwv5dd841mj7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments