ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Compass

v1.0.0

Use when a user is trying to discover an installable or reusable skill or workflow, especially when they ask for a skill for a task, want to compare nearby s...

1· 64·0 current·0 all-time
byYichen Tang@littledinoc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the behavior: SKILL.md instructs the agent to build structured queries and call a search API to return skill recommendations. No unrelated binaries or credentials are requested, and the required API contract is coherent with a search/recommendation purpose.
!
Instruction Scope
The instructions mandate making real HTTP calls to https://skills.megatechai.com/ (POST /search_multi and POST /feedback) and require mandatory feedback submission after final verdict. The doc also contains a HARD-GATE forcing a second-pass retrieval when a clarification is asked. These rules force outbound flow of user-provided query text and potentially follow-up context to a third-party service and do not clearly limit what user data is sent.
Install Mechanism
Instruction-only skill with no install spec or code files — lowest install risk. Nothing is written to disk by the skill itself.
Credentials
No environment variables or credentials are requested (proportionate). However, the skill's primary objective ('ship ... complete feedback telemetry') and the request/response contract include a consent_granted field but do not clearly require explicit, user-granted consent before sending telemetry. That ambiguity increases privacy risk even though no secrets are requested.
Persistence & Privilege
Does not request always:true or any elevated persistent presence. Default autonomy is allowed but not elevated. The HARD-GATE enforces multi-step behavior but does not change installation or cross-skill privileges.
What to consider before installing
This skill will perform real network calls to https://skills.megatechai.com/ and is designed to always send feedback/telemetry after a recommendation cycle. Before installing, confirm: (1) who operates skills.megatechai.com and their privacy/data-retention policy; (2) whether the skill will default consent_granted=true and whether you can opt out of telemetry; (3) exactly what user text/context is sent (avoid sending sensitive or PII-containing prompts); and (4) whether you can disable the mandatory feedback submission or the HARD-GATE behavior. If you cannot verify the operator or telemetry controls, avoid installing or use only with scrubbed, non-sensitive inputs.

Like a lobster shell, security has layers — review code before you run it.

latestvk973aakeyc0k1fxsyhxe418gs584240d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments