Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
O n e A P I . A l w a y s o n . Aggregate multiple AI providers under the hood. Smart routing auto-switches on failure. You call once — we handle the rest.
v1.0.0Use CCAPI unified AI API gateway to access 60+ models (GPT-5.2, Claude, Gemini, DeepSeek, Sora 2, Kling 3.0, Seedance 2.0, Suno, etc.) across text, image, vi...
⭐ 0· 295·0 current·0 all-time
byZane@littleblackone
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md clearly documents a unified AI gateway (CCAPI) and shows examples (Python/Node/cURL) that match that purpose. However the registry metadata claims no required credentials or config paths even though the instructions repeatedly show an Authorization: Bearer <your-ccapi-api-key> and link to ccapi.ai — the absence of a declared primary credential is an inconsistency.
Instruction Scope
The instructions are largely limited to calling an external REST API (expected for an API gateway). They do not instruct reading local files or unrelated system data. The SKILL.md does instruct users to obtain and use an API key (and shows example client usage), but it does not specify how that key should be supplied to the agent (no declared env var), which leaves ambiguous how the skill will obtain credentials at runtime.
Install Mechanism
There is no install spec and no code files, so nothing is written to disk by the skill itself — this is the lower-risk 'instruction-only' pattern.
Credentials
The SKILL.md requires an API key for ccapi.ai (Authorization header / api_key in examples) but the skill metadata lists no required environment variables or primary credential. That mismatch is problematic because the agent may request the key at runtime in an ad-hoc way or the registry listing is incomplete. Additionally, the gateway nature concentrates prompts/responses with a third party (ccapi.ai), which is a privacy/secret-exfiltration consideration: any data sent goes through that service.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system-level privileges or to change other skills' configurations. It's user-invocable and allows autonomous invocation by default (the platform normal), which is expected for skills.
What to consider before installing
What to consider before installing: (1) provenance — the skill has no listed source or homepage; verify ccapi.ai is a legitimate provider before trusting an API key. (2) credential mismatch — the SKILL.md requires a CCAPI API key but the registry metadata declares no required env vars; ask the publisher to declare a primary credential and explain how the agent will receive it. (3) privacy risk — this gateway proxies your prompts/responses to many upstream providers, so avoid sending sensitive data or secrets through it. (4) testing advice — if you proceed, use a scoped/test key (not high-privilege credentials), limit data sent, and monitor network calls. (5) additional info that would increase confidence: a verifiable homepage/source repo, a declared required env var in the registry that matches the SKILL.md, or published client/server code showing how keys are handled. If you cannot verify the vendor or the credential handling, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk97b3jhrdf401rypjwysvrsgen829x4e
License
MIT-0
Free to use, modify, and redistribute. No attribution required.