ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

omadeus

v1.0.1

Manage Omadeus entities via the Omadeus REST API.

0· 645·0 current·0 all-time
by@mohammadsheikhian
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill is named and described as an Omadeus REST API integration, but the SKILL.md shows curl calls to https://milestone.xeba.ir/... (not omadeus.com) and contains text referring to Trello (API key/token) — credentials and endpoints don't match the stated purpose.
!
Instruction Scope
The runtime instructions tell the agent to run curl against an unexpected external domain and to use a nonstandard HTTP verb ('-X LIST'). They also mention API keys/tokens and rate limits but give no guidance on which environment variables or secure storage to use. The doc's examples and notes appear copy-pasted and out-of-scope.
Install Mechanism
No install spec and no code files (instruction-only). That reduces disk/installation risk — nothing is downloaded or written by an installer.
!
Credentials
The skill declares no required environment variables or primary credential, yet the README warns about API key/token access to a Trello account. This mismatch means the skill may expect secrets but does not declare or justify them.
Persistence & Privilege
The skill does not request always:true or other elevated persistence. It is user-invocable and allows autonomous invocation by default (normal). It does not declare modifications to other skills or system-wide configs.
What to consider before installing
Do not install or provide any API keys yet. Ask the publisher to explain: (1) why the SKILL.md targets milestone.xeba.ir instead of omadeus.com, (2) why the notes mention Trello and API tokens, (3) which environment variables or credentials the skill actually needs and where they'll be sent, and (4) to provide realistic, correct curl examples (standard HTTP verbs like GET/POST) and a trustworthy endpoint (official Omadeus domain). If you must test, do so in a sandbox account with limited permissions and rotated credentials, and avoid supplying production API keys until the inconsistencies are resolved.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dczx4zqs5c17g1redwybqwh816pa6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📋 Clawdis

Comments