ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

logseq web article

v1.0.1

Fetch article content from general web page URLs, and call logseq-article-archive to organize, summarize, and archive the content. Call this skill when users...

0· 56·0 current·0 all-time
byHelloEric@mesopodamia
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the runtime instructions: the SKILL.md describes fetching web article URLs, converting content to Markdown, recording metadata, and handing the result to logseq-article-archive. Required binaries/env/configs are none, which is consistent with a lightweight fetch-and-format skill.
!
Instruction Scope
The instructions stay focused on fetching and formatting article content (using a WebFetch tool) and returning results. However, they also direct the agent to check for, and if missing, automatically install and then invoke the separate 'logseq-article-archive' skill. That step gives the agent broad discretion to download and install third-party code at runtime and therefore expands scope beyond simple content processing.
!
Install Mechanism
This skill is instruction-only and has no install spec itself (low inherent risk), but it explicitly instructs the agent to automatically install another skill (logseq-article-archive) if not present. No source, registry, or verification instructions are provided for that installation, which could lead to arbitrary code being fetched/executed by the agent during runtime.
Credentials
The skill requires no environment variables, credentials, or config paths. That is proportional to the stated purpose. Note: the downstream logseq-article-archive skill (to be auto-installed) might request additional secrets or env vars — the SKILL.md does not disclose or justify that.
Persistence & Privilege
always:false and model invocation allowed (defaults) are normal. The concern is the skill's instruction to install another skill, which implies modifying the agent's installed-skill set; installing or enabling other skills is a privileged action and should require explicit user consent or provenance checks.
What to consider before installing
This skill does what it says (fetch and format web articles) but it will try to automatically install and call a separate 'logseq-article-archive' skill if that skill isn't already present. Because there is no homepage, source repo, or install spec provided, you should: (1) require explicit confirmation before allowing the agent to install any new skill, (2) ask the skill maintainer or registry for the source/URL and review the logseq-article-archive skill's code, permissions, and required env vars, (3) avoid granting broad credentials or filesystem access to newly installed skills, and (4) consider running any auto-installed skill in a sandboxed environment or only install from trusted registries. If you cannot verify the provenance of logseq-article-archive, do not allow automatic installation.

Like a lobster shell, security has layers — review code before you run it.

latestvk9757rddc4bymx0bstx4beerkn84tgnp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments