ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

健身房

v0.1.0

Find nearby gyms. Invoke when user asks for fitness centers near me.

0· 55·0 current·0 all-time
by@mikeclaw007
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match: a simple 'nearby gyms' skill reasonably requires no extra binaries, env vars, or installs. The declared inputs (location, radius, filters) are appropriate for the purpose.
!
Instruction Scope
SKILL.md defines inputs, outputs, and privacy considerations but does not specify how to obtain gym data (no provider, API endpoints, or query mechanism). It also references STANDARD_RESPONSE.md via a local file:///Users/... path that will not exist in most runtimes. Because the instructions are incomplete and leave unspecified how external data is retrieved, an agent may fall back to broad behaviors (web scraping, generic web requests, or other platform tools) — this is vagueness that affects safety and predictability.
Install Mechanism
No install spec and no code files — instruction-only skill. Low installation risk because nothing is written to disk or downloaded.
Credentials
No environment variables, credentials, or config paths are requested. This is proportional to the described functionality (a simple POI lookup doesn't inherently require secrets).
Persistence & Privilege
Flags show default behavior (not always-on, user-invocable, autonomous invocation allowed). Nothing in the skill requests elevated persistence or modifies other skills/config.
What to consider before installing
This skill appears to be a lightweight, instruction-only formatter for returning nearby gyms, but the runtime instructions omit how to fetch POI data and reference a local STANDARD_RESPONSE.md that likely won't exist. Before installing or enabling it: (1) ask the publisher which data provider/API the skill uses (Google/Foursquare/OSM/etc.) and whether any API keys are required; (2) confirm how the platform will supply user location and that the skill will not persist precise coordinates (it claims to grid/blur coordinates — get specifics); (3) request a corrected reference or the actual STANDARD_RESPONSE schema so you know the output format; (4) test in a safe environment to verify the agent doesn't perform broad web scraping or unexpected network requests. These steps will reduce the uncertainty caused by incomplete instructions.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cpc9pn2f0c1bcm2qxw9pwgx83e52c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments