ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

README Writer

v1.0.0

Generate a complete, production-quality README.md from code, description, or an existing README, tailored to the project type without any filler content.

0· 58·0 current·0 all-time
by@lnguyen1996
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and declared requirements align: this is an instruction-only skill that generates README.md content from provided code or descriptions. It does not request extraneous binaries, environment variables, or credentials, which is appropriate for the stated purpose.
Instruction Scope
SKILL.md stays focused on README generation and outlines precise formatting rules and project-type adaptations. However, the 'Self-improvement instructions' ask the skill to record what was missing after each README and to 'after 20 READMEs, surface the top 3 things developers forget' — that requires accumulating state across runs. The skill provides no mechanism (install, storage path, environment, or external endpoint) for persistent tracking.
Install Mechanism
There is no install spec and no code files — lowest-risk delivery model. Nothing will be written to disk by the skill itself as described.
Credentials
The skill declares no environment variables, credentials, or config paths, which is proportionate to its stated function. Note: because it asks the agent to use actual function/class names from supplied code, giving the agent repository files may expose secrets embedded in code; the SKILL.md does not warn about excluding sensitive files.
!
Persistence & Privilege
Autonomous invocation is allowed (default) which is normal, but the self-improvement feature implies the skill will persist usage/metadata across sessions. Yet the skill doesn't declare how or where it will store that data (no install, no config path, no env). This mismatch could mean reliance on the host agent's memory/persistence features — clarify whether data will be stored and where, and whether it is shared or private.
What to consider before installing
This skill appears to do what it says (produce high-quality README.md files) and doesn't request any credentials or installs — that's good. Before installing or using it: (1) Ask the publisher how the 'Self-improvement' tracking is implemented: where are per-README records stored, who can read them, and can you opt out? (2) Never feed repositories that contain secrets (API keys, private certs, credentials) — the skill's rule to use function/class names could cause accidental inclusion of sensitive strings in outputs. (3) If you want no persistent tracking, confirm the skill uses only in-session memory and does not write logs or analytics to external services. (4) Test with a non-sensitive sample project to validate output formatting and that no unexpected data is exfiltrated. If the publisher cannot explain how they implement the 20-README aggregation, consider this a red flag.

Like a lobster shell, security has layers — review code before you run it.

latestvk9739y5gbgetww49kdqvzyk7nn83cgek

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments