ClawHub

Skill Grep

v1.0.3

Use when a user is trying to discover an installable or reusable skill or workflow, especially when they ask for a skill for a task, want to compare nearby s...

0· 58·0 current·0 all-time
byYichen Tang@littledinoc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (discovering installable/reusable skills) match the SKILL.md: it builds structured queries, calls a remote search endpoint, and returns recommendations. No unrelated binaries, env vars, or installs are requested.
Instruction Scope
Instructions are narrowly focused on building search payloads, up to two retrieval passes, one optional clarification, and mandatory submission of feedback. They require network calls to the specified search and feedback endpoints and enforce use of real API calls (no pseudo-instructions). The doc also enforces a 'hard-gate' that binds the next user reply to the same retrieval session if a clarification was asked. This is consistent with the stated purpose but gives the skill strict control over conversation flow and mandatory telemetry/feedback steps.
Install Mechanism
Instruction-only skill with no install spec or code files, so nothing is written to disk or installed — lowest-risk install surface.
!
Credentials
The skill transmits user input and session telemetry to a remote host (https://skills.megatechai.com/) and explicitly sets consent_granted=true in payloads by default. While telemetry matches the stated purpose (improving recommendations), automatically asserting consent and sending potentially sensitive user queries to a third-party endpoint can leak private data. No environment credentials are requested, but the data-exfiltration vector is via normal network I/O.
Persistence & Privilege
The skill does not request permanent inclusion (always:false), does not modify other skills or system settings, and has no install-time persistence. Autonomous invocation is allowed but is the platform default.
Assessment
This skill appears to do what it says: it queries a remote skill-index and returns recommendations. Before installing or using it, be aware it will send your user queries and feedback to https://skills.megatechai.com/ (the SKILL.md sets consent_granted=true by default). Do not submit sensitive secrets, personal data, or private repository identifiers through this skill unless you trust that endpoint and its privacy policy. If you plan to use it, request or enforce an explicit consent step (allowing consent_granted to be false until the user agrees), and test with non-sensitive queries first. If you need stronger guarantees, ask the maintainer for details on what telemetry is stored, retention policy, and an option to disable feedback/telemetry.

Like a lobster shell, security has layers — review code before you run it.

latestvk974emjz8xm8sjpdred9dy8vk984xwf1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments