ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Api Rate Limiter

v1.0.0

Manages API request rates with delay, concurrency limits, configurable policies, automatic retries, and real-time status monitoring.

0· 46·1 current·1 all-time
by@monline-code
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, README, SKILL.md, and scripts coherently implement an API rate limiter with delay, concurrency and config management. Requiring jq and using copy/sleep logic is proportional to that purpose. However, some implementation choices (hard-coded /root default path) don't match the install instructions and expected install locations, which is unexpected for a user-level skill.
!
Instruction Scope
The runtime instructions map to the provided scripts and CLI commands. But the scripts reference and write to /root/.openclaw/workspace/skills/... (DEFAULT_CONFIG_FILE) while install.sh copies files into $HOME/.openclaw/workspace/skills — this mismatch means the skill may try to read/write files in /root unexpectedly. The scripts do not access network endpoints or external secrets, so no obvious data exfiltration, but the filesystem path usage is outside the skill's stated simple scope.
Install Mechanism
There is no remote installer (no downloads). install.sh copies local files into ~/.openclaw/workspace/skills and attempts to create a /usr/local/bin symlink (using sudo if available). No external URLs or archives are fetched. The install is local and traceable, but it attempts to create a system-wide symlink and therefore may ask for sudo.
Credentials
The skill does not request environment variables, credentials, or external tokens. It does require jq (and optionally bc) which is reasonable for JSON parsing and arithmetic. No hidden credential access is present in the code.
!
Persistence & Privilege
The installer will create a symlink in /usr/local/bin (possibly with sudo), giving a system-wide command. More importantly, the scripts write/read a DEFAULT_CONFIG_FILE located under /root — this hard-coded root path may cause the tool to require elevated privileges or to operate inconsistently between users. The skill does not set always:true, nor does it modify other skills, but the root-path behavior increases its privilege/permission footprint unexpectedly.
What to consider before installing
This skill appears to implement the claimed rate-limiting functionality, but there are implementation inconsistencies you should address before installing: 1) The main script uses DEFAULT_CONFIG_FILE and the entrypoint path hard-coded to /root/.openclaw/..., while install.sh installs files under $HOME — fix these paths to be consistent (use $HOME or relative skill dir) to avoid needing root or silently failing. 2) install.sh creates a /usr/local/bin symlink and may call sudo — run the installer with care and inspect the script first. 3) Ensure jq is installed; the scripts exit if jq is missing. 4) Consider running the skill in a sandbox or testing environment first (or manually copy files rather than running install.sh) so you can confirm it doesn't attempt to read/write root-owned paths. If the author intended to require root, ask why; if not, request a patch that removes hard-coded /root references and uses the installed skill directory or $HOME consistently.

Like a lobster shell, security has layers — review code before you run it.

latestvk972rz8g7tv50bthpyzz1rjm4s83qcjt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments