ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Super publish skill

v1.0.101

Enforces React function component conventions, file organization, naming, TypeScript usage, imports, comments, and component splitting rules per project stan...

0· 85·0 current·0 all-time
byAbigail Martinez@lixiaodou
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md content matches the declared purpose: coding conventions for React function components, TypeScript usage, imports, file organization, naming, comments, and splitting rules. The skill requires no binaries, env vars, or install steps, which is proportional for a style-guide/instruction-only skill. However, the included _meta.json does not match the registry metadata (different ownerId, slug 'summarize' and version 1.0.0 vs registry's super-publish-skill v1.0.101), suggesting a packaging or attribution mismatch that should be explained before trusting the skill.
Instruction Scope
SKILL.md contains only coding guidelines and examples in Chinese. It does not instruct the agent to read files, access environment variables, call external endpoints, run shell commands, or exfiltrate data. The runtime instructions stay within the stated purpose.
Install Mechanism
No install specification and no code files aside from SKILL.md and _meta.json. This is the lowest-risk form (instruction-only), so there is no installer to evaluate.
Credentials
The skill declares no required environment variables, credentials, or config paths and the instructions do not reference any. There is no disproportionate secret or environment access requested.
Persistence & Privilege
Skill flags are default (always: false, model invocation allowed). Nothing requests permanent presence or cross-skill/system configuration changes.
What to consider before installing
The skill's guidance content itself appears benign and fits its described purpose. However, the packaging metadata is inconsistent: the included _meta.json claims a different ownerId, slug ('summarize'), and version than the registry metadata for 'super-publish-skill' (v1.0.101). Before installing or enabling this skill, ask the publisher to explain the mismatch and provide: (1) a stable source or homepage, (2) a signed/verified release or repository link, and (3) clarification of the correct owner/slug/version. If you cannot verify authorship, treat the skill as untrusted — run it in a sandbox or avoid installing it. If you proceed, monitor for unexpected network activity or requests for credentials even though none are declared.

Like a lobster shell, security has layers — review code before you run it.

latestvk972tmhkgj4prvwq4388fbnwjn83e5ms

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments