ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Plugin Integration Development

v1.0.1

Guide users to create, validate, and integrate custom plugins, tools, and commands into OpenClaw using templates, scripts, and examples.

0· 35·0 current·0 all-time
by@marcusy2k
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's name/description match the included materials: templates, example plugins, and validation/init scripts. Creating and validating plugins is a coherent purpose for the included files.
Instruction Scope
SKILL.md stays within plugin-development scope (create scaffold, validate, install). The runtime instructions reference local paths and scripts only and do not instruct any network calls or reading unrelated system state. However, the scripts assume tools (jq, sed -i behavior) that are not declared, and the docs/scripts expect different manifest filenames (examples use manifest.json while validation expects openclaw.plugin.json), which is an inconsistency that can cause unexpected failures.
Install Mechanism
No install spec; this is instruction-only and ships only examples and shell scripts. There are no downloads or archive extracts, so there is no high-risk install mechanism.
Credentials
The skill declares no required environment variables or credentials, which lines up with its local-development purpose. However, the validation script depends on the external tool jq (and generally on a POSIX shell and sed), but jq is not declared in requirements — a missing dependency rather than a secret/privilege issue.
Persistence & Privilege
The skill is not always-enabled and is user-invocable only. It does not request elevated privileges or modify other skills. Running the scripts writes files into plugin directories (expected for scaffolding) but does not persist as an always-on component.
What to consider before installing
This skill looks like a helpful plugin template and validator, but review and test before running scripts. Specific things to check: 1) The validate script uses jq — install jq or edit the script; the skill did not declare this dependency. 2) Examples include manifest.json files, but the validator and CLI docs expect openclaw.plugin.json — update examples or manifests to match your OpenClaw version. 3) init-plugin.sh uses sed -i in a way that can be non-portable on macOS; test in a safe directory first. 4) Run the scripts in a non-production directory (or provide an explicit output-dir) to avoid accidental overwrites; the init script will refuse to proceed if the target directory exists, but confirm before running. 5) Inspect the generated index.js and manifest before installing any plugin into your real OpenClaw plugins directory. If you want higher assurance, open the scripts in a text editor or run them under a sandbox/container and verify behavior (no network calls are present).

Like a lobster shell, security has layers — review code before you run it.

developmentvk9732pnzh0shzd47hrjsxx6k298440w1latestvk9732pnzh0shzd47hrjsxx6k298440w1pluginsvk9732pnzh0shzd47hrjsxx6k298440w1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments