ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Test Skill from TPClawHub

v1.0.0

Provides automated testing, CI/CD integration, and quality assurance for verifying TPClawHub integration.

0· 41·0 current·0 all-time
by@lky115
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description promise automated testing, CI/CD integration, and QA, but the package contains no implementation (no code files, no install spec, no declared binaries). There is no evidence the skill actually provides the stated capabilities.
!
Instruction Scope
SKILL.md tells the agent to install dependencies, configure environment variables, and run a "main script", and it explicitly references an API_KEY and DEBUG, but there is no script, no dependency list, and the metadata declares no required env vars. The instructions therefore ask for actions and secrets that cannot be fulfilled by the provided artifacts.
Install Mechanism
There is no install specification (the skill is instruction-only). That is low risk in itself, but here it's inconsistent with the SKILL.md which instructs installing dependencies (and shows an npx clawhub install example) while providing no details on what to install.
!
Credentials
SKILL.md requests an API_KEY (and optional DEBUG) but the registry metadata lists no required env vars or primary credential. Asking for an undefined API_KEY is disproportionate and unexplained — it could lead users to supply secrets without understanding their use.
Persistence & Privilege
No elevated privileges are requested: always is false, no install actions are declared that would write files, and there are no config paths or persistent behaviors described.
What to consider before installing
This package appears to be a placeholder or incomplete: the README asks you to install dependencies, run a main script, and set API_KEY, but there is no code or install instructions. Do not provide real secrets (API keys) to this skill. Before installing or using it, request the full code/install spec from the publisher or only run it in an isolated, disposable environment with an ephemeral, least-privilege test key. If you need the promised functionality, prefer a skill that includes concrete install steps, a dependency list, and clear documentation of what the API_KEY is for and where it is sent.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b6hsc0954mq2nywx2vnwptd83pzjk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments