ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Hide My Email

v1.0.1

Generate Apple Hide My Email addresses on macOS terminal and copy them to clipboard using the hme CLI tool.

0· 611·0 current·0 all-time
byMijo Kaliger@manikal
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description match the files and runtime instructions: the skill wraps the 'hme' CLI which uses AppleScript to drive System Settings and copy a generated Hide My Email address to the clipboard. No unrelated credentials, env vars, or unexpected binaries are requested.
Instruction Scope
SKILL.md only instructs installing/running the hme CLI and describes the expected behavior. It explicitly requires Accessibility (screen/UI) permissions for the terminal app so the AppleScript can drive System Settings; that is expected for this use but is a sensitive capability. One install command in SKILL.md appends an export line directly to ~/.zshrc (modifies a shell profile) — install.sh in the repo is less intrusive and suggests how to add PATH manually.
Install Mechanism
No install spec in registry, but SKILL.md provides two installer options: a git clone (reasonable) and a curl | sh one-liner pinned to GitHub raw. Both fetch code from GitHub (a well-known host), but piping remote shell code into sh is higher-risk; the included install.sh (present in the package) is straightforward and easy to inspect before running.
Credentials
No environment variables, credentials, or config paths are requested. The required capability (Accessibility permission) is proportionate to UI automation needed to create Hide My Email addresses.
Persistence & Privilege
The skill does not request always: true and does not modify other skills. However, it requires granting Accessibility control to the terminal app, which allows UI automation and clipboard access — a powerful permission the user must grant explicitly and should only be granted after inspecting the scripts.
Assessment
This skill is coherent with its purpose, but take these precautions before installing: 1) Prefer cloning the repository and inspecting the files (hme and hide_my_email.applescript) yourself rather than running 'curl ... | sh'. 2) Review the AppleScript (hide_my_email.applescript) and the hme script to understand exactly what UI actions and clipboard operations they perform. 3) Be aware that granting Accessibility permission to your terminal lets the script control System Settings and read/copy clipboard contents — only grant it to trusted code and revoke the permission if you stop using the tool. 4) Verify the repository source and checksums if you rely on this for sensitive workflows. If you want higher assurance, request the AppleScript and hme script contents for review (they were not included in the SKILL.md payload here).

Like a lobster shell, security has layers — review code before you run it.

latestvk97bfwtxjbr4p2aj4s0x0h05k981q75c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments