ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Understand-Anything-Dashboard

v1.1.0

Launch the interactive web dashboard to visualize a codebase's knowledge graph

0· 110·0 current·0 all-time
byYuxiang Lin@lum1104
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's purpose is to launch a local dashboard for a project's knowledge graph, which is coherent. However, the SKILL.md assumes availability of shell, pnpm, npx, Node, and Vite but the registry metadata declares no required binaries or environment variables. Requiring npm tooling is proportionate to the task, but those dependencies should be declared.
!
Instruction Scope
Instructions tell the agent to run shell commands, install Node dependencies (pnpm install), and run npx vite --open in the background. They reference resolving a plugin root via $0 and an undeclared environment variable (${CLAUDE_PLUGIN_ROOT}). The instructions do not request unrelated system files, but they do rely on runtime environment details that are not declared and may cause the agent to fetch/execute remote packages.
!
Install Mechanism
There is no install spec, yet the runtime steps include pnpm install and npx vite. npx can download and execute packages from the npm registry on demand; pnpm install may run package install scripts. This dynamic fetching/execution from external registries is an elevated risk and should be explicit in the metadata or avoided by requiring pre-installed binaries.
!
Credentials
The skill declares no required environment variables but references GRAPH_DIR (set at runtime) and ${CLAUDE_PLUGIN_ROOT} (an undeclared variable) and suggests using $ARGUMENTS/$0. Accessing or relying on undeclared env vars is a mismatch and could lead to unexpected behavior. No secrets are requested, which is appropriate.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. It runs a background local dev server, which is expected for this purpose and not inherently a privilege escalation.
What to consider before installing
This skill intends to start a local Vite-based dashboard and is plausible, but the SKILL.md expects tooling and environment pieces that are not declared. Before installing or running it, verify you have Node, a package manager (pnpm or compatible), and Vite installed. Be aware that the instructions use pnpm install and npx vite, which may download and run code from the npm registry (install scripts or npx-launched packages) — only proceed if you trust the dashboard code and your network. Also check where the plugin expects its files to live: the SKILL.md uses $0 and ${CLAUDE_PLUGIN_ROOT} to locate packages/dashboard, which may not resolve correctly in your agent runtime. Recommended actions: (1) ask the publisher to list required binaries (node, pnpm/npm, npx/vite) and any env variables, (2) prefer running vite from an explicit, pre-installed binary rather than npx, or audit the project's package.json before running pnpm install, and (3) run this skill in a sandboxed or development environment if you have any doubt.

Like a lobster shell, security has layers — review code before you run it.

latestvk979p97t6qff29wwh59qr955ms839cvk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments