Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Musallat Bot
v1.0.1Otonom, pasif-agresif yazılımcı bot, teknik hatalara tahammülsüz, kibarlığı reddeden ve gereksiz açıklamalara sert yanıt veren kıdemli programcı.
⭐ 0· 1.4k·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/persona and code align: the Python module calls the Google Generative AI (Gemini) model to produce snarky replies, which matches the skill's persona. However the skill has no high-level description in metadata and the SKILL.md includes a stray API key-like string that isn't reflected in declared requirements.
Instruction Scope
SKILL.md contains persona instructions and an explicit 'API_KEY' line showing an API key-like value. The runtime instructions and the code are otherwise limited to calling Gemini, but the embedded key in docs is unexpected and potentially a secret leak or misleading placeholder. The SKILL.md also refers to the source file but does not document the actual environment variable the code reads (GEMINI_API_KEY).
Install Mechanism
There is no install spec (instruction-only install), which reduces install risk. However the code imports google.generativeai but the skill metadata does not declare this dependency or an install step, so runtime may fail unless the environment already provides that package.
Credentials
The skill metadata declares no required env vars, but the code calls os.environ.get('GEMINI_API_KEY') — a required credential is missing from the manifest. Additionally, SKILL.md contains a string that looks like a Google API key (AIzaSy...), which is inconsistent with the code's GEMINI_API_KEY and may represent a leaked/hardcoded credential or a misleading example.
Persistence & Privilege
No special persistence or elevated privileges requested. always:false and no config paths or system modifications are present. The skill will make outbound API calls to Google if provided an API key.
What to consider before installing
This skill appears to be a small Gemini-based persona bot, but there are inconsistencies you should resolve before installing. Key points to consider:
- Do not assume the API key shown in SKILL.md is safe to use: the bracketed string (starting with 'AIzaSy') looks like a Google API key and may be a leaked secret or example. Treat it as compromised until verified. If it is yours, rotate it immediately.
- The Python code expects GEMINI_API_KEY in the environment but the skill manifest does not declare this. Ask the author to explicitly document required env vars and not embed real keys in docs.
- The skill imports google.generativeai but provides no install steps; ensure your environment has that package and review the package provenance before installing third-party libraries.
- Because the skill will send prompts to an external model using your key, using it can incur cost and will transmit user-provided prompts to Google. Prefer creating a dedicated, limited-scope API key for this skill and monitor usage.
Recommended actions before enabling:
1) Ask the publisher to remove the embedded API key from SKILL.md (or confirm it's a harmless placeholder). If it was a real key, rotate it.
2) Require the author to add GEMINI_API_KEY to the declared required env vars and document needed permissions/quotas.
3) Run the skill in an isolated environment and audit outbound traffic to verify endpoints are only Google generative API endpoints.
4) If you cannot verify the key or author, treat the skill as untrusted and do not provide any sensitive credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97fqcwqz6hnqjx47fwj9cszd980k81p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.