ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PLS Agent Tools

v1.0.0

Provides utilities for safe file handling, JSON/YAML editing, regex text processing, system commands, encoding, date/time, and validation tasks.

0· 2k·22 current·23 all-time
byMatt Valenta@mattvalenta
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name and description (file handling, JSON/YAML editing, regex, system commands, encoding, date/time, validation) match the SKILL.md examples. The examples rely on common Unix tooling (jq, yq, rsync, curl, lsof, trash, etc.), which is coherent for a utility skill.
Instruction Scope
Instructions include potentially destructive or high-impact commands (trash/mv/rm, find -exec trash, kill -9 via xargs, lsof|xargs kill) and network operations (curl POST). These are within the stated utility scope but grant broad capability to modify/delete local files and to send data externally; the SKILL.md does not place safety limits or require confirmations.
Install Mechanism
There is no install spec (instruction-only), which is the lowest install risk. No archives or remote downloads are performed by the skill itself.
Credentials
The skill declares no required environment variables or credentials, which is appropriate. However, it references many external CLI tools without listing them as dependencies; verify the runtime environment provides the expected tools (and versions) before relying on the examples.
Persistence & Privilege
The skill does not request persistent/system-wide privileges and is not forced-always. It uses the platform-default ability for autonomous invocation; combined with the destructive commands above, autonomous execution increases blast radius, so consider restricting autonomous use if you want tighter control.
Assessment
This skill is essentially a cookbook of shell commands that align with its stated purpose. Before installing or enabling it for autonomous use: (1) verify your agent runtime has the referenced tools (jq, yq, rsync, trash, lsof, curl, etc.) or adapt examples to your environment; (2) be aware examples include destructive operations (deleting files, killing processes) and network requests—run them in a sandbox or with backups and least-privilege accounts first; (3) if you don't want the agent to run these commands automatically, disable autonomous invocation for this skill or require explicit user invocation; (4) review the SKILL.md and remove or modify any commands that would operate on sensitive paths or send data to external endpoints you don't control.

Like a lobster shell, security has layers — review code before you run it.

latestvk976f52n61e87yq3e11yytzadx81nx4s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments