ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ABTI: AI-Based Type Indicator

v1.0.1

ABTI (AI-Based Type Indicator) — a personality test that analyzes how you talk to AI and roasts you accordingly. 28 personality types (24 regular + 4 hidden)...

0· 45·0 current·0 all-time
byYouMind@mindy-youmind
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill claims to analyze the user's chat history and produce a personality + roast — that matches the instructions to analyze chat context. Nothing in the package requests unrelated credentials or binaries. However, the SKILL.md says the analysis rules are in a bundled references/ directory, but the distributed file manifest does not include any references/ files; the README instead encourages fetching https://youmind.com/abti-api/skill.md. This inconsistency is noteworthy.
!
Instruction Scope
Instructions direct the agent to read a referenced instructions file and to follow ALL rules in it exactly. Because the referenced files are missing from the package and the README instructs the user/agent to fetch the same content from youmind.com, the skill effectively depends on externally-hosted instructions. That allows dynamic replacement of runtime instructions (remote instruction injection). The SKILL.md also defines Path A to POST results to https://youmind.com/abti-api/create — sharing results externally is plausible for a 'shareable card', but the skill's privacy assurances (e.g., 'never expose raw chat content', automatic stripping of PII) are declarative and not enforceable by static inspection; the agent would perform the stripping, which could be error-prone.
Install Mechanism
No install spec and no code files to execute are bundled beyond README/SKILL.md/package.json. This minimizes direct install-time risk (nothing is downloaded or executed by an installer as part of the skill package).
Credentials
The skill requests no environment variables or credentials, which is proportionate. However, it instructs posting results to an external API endpoint (youmind.com) and instructs fetching external skill/instructions in the README. External network access is not declared as a requirement but is integral to the 'HTTP capable' output path and to the README-suggested workflow — this could result in data (albeit claimed to be sanitized) leaving the user's environment.
Persistence & Privilege
The skill does not request always:true, does not declare modifications to other skills or system configuration, and there are no install-time persistence actions present in the package. Autonomous invocation is permitted (default), which is expected for skills.
What to consider before installing
This skill is plausible for a chat-history-based personality test, but there are concerning inconsistencies you should consider before installing: 1) The SKILL.md claims the analysis reference files are bundled (references/...), yet the package does not include them; the README instead instructs fetching instructions from youmind.com. That means the skill may rely on dynamically loaded external instructions which can change anytime. 2) The skill offers to POST results to https://youmind.com/abti-api/create — sharing a 'sanitized' result is reasonable for a shareable card, but the sanitization claim is not verifiable from the package and could leak sensitive details if the agent fails to strip them. 3) If you care about privacy or auditability, do not enable the HTTP path or allow the agent to fetch external instruction URLs; ask the author to bundle the referenced instruction files in the package and provide a clear, auditable spec of what exactly is posted to the external API. If you still want to try it, run the skill in an environment without outbound network access (so only local analysis is used) and inspect any data the agent would send before allowing it to POST to external endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk975ve19c0ra2d7zsnr3z6yycn84v0bf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments