Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Social Media Search
v0.0.7Monid is the data layer for AI agents — discover, inspect, and run data endpoints across the web. Use this skill whenever the user needs to collect, scrape,...
⭐ 1· 57·0 current·0 all-time
by@monid
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md clearly describes a CLI (monid) that discovers and runs web data endpoints and requires an API key. However the registry metadata lists no required env vars/credentials and there is no homepage/source URL — this is an inconsistency: the skill requires an external API key and a CLI install that the metadata does not declare or link to, which reduces provenance and increases risk.
Instruction Scope
The runtime instructions are narrowly scoped to installing the monid CLI, discovering/inspecting/running endpoints, and adding a Monid API key via `monid keys add`. They also ask the agent to save and enable the skill file in its skill directory. Asking the user to paste an API key and having the agent request the key is expected for a CLI integration, but the SKILL.md grants the agent discretion to save the skill to disk — a normal action but worth noting.
Install Mechanism
This is an instruction-only skill (no install spec) that tells users to run `npm install -g @monid-ai/cli`. Installing a global npm package is the expected way to get a CLI, but it carries supply-chain/provenance risk because the skill metadata provides no homepage/source and the package on npm is unverified here. The absence of an explicit, trustworthy install spec or homepage increases risk.
Credentials
The SKILL.md requires a Monid API key and instructs the user to add it via `monid keys add`, but the registry metadata lists no required environment variables or primary credential. That mismatch (metadata declares no secrets while the instructions require one) is an incoherence and means automated reviewers/users may not be prompted to protect the credential appropriately.
Persistence & Privilege
The skill is not always-enabled and uses standard autonomous invocation. It asks the agent to save the skill file to the skill directory so it can be loaded in future sessions — this is normal behavior for skills and not an elevated privilege by itself.
Scan Findings in Context
[no_code_files] expected: The skill is instruction-only (only SKILL.md present), so the regex scanner had no code to analyze. This explains the absence of findings but does not reduce runtime risk from following the instructions (installing an npm package, handling an API key).
What to consider before installing
Before installing or using this skill: (1) Do not paste your Monid/API key into a chat — prefer to run `monid keys add` yourself in a terminal on your machine. (2) Verify the npm package and project: check the @monid-ai/cli package page, read its homepage/repository, inspect maintainers and recent releases; the skill metadata here provides no homepage or source. (3) Consider least privilege: generate an API key with limited scope if Monid supports it and avoid using high-privilege account keys. (4) Remember global npm installs run third-party code on your machine — only install if you trust the package and its maintainers. (5) If you want higher assurance, ask the skill owner for a homepage/repository link or request an install spec that pins a verified release; absence of provenance is the main reason this is flagged as suspicious.Like a lobster shell, security has layers — review code before you run it.
latestvk9776jfv6za1002hwf2ts3sye184pdzr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.