ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Kiipu

v0.0.1

Use when the user wants to create, delete, restore, or purge Kiipu posts, manage authentication, or check local setup through the Kiipu CLI.

0· 69·0 current·0 all-time
by@mycreat
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and runtime instructions all consistently describe managing Kiipu posts and CLI auth via a local 'kiipu' CLI. The required capabilities (running the CLI) align with the stated purpose.
Instruction Scope
SKILL.md only instructs executing the local 'kiipu' CLI and checking auth/status; it does not ask the agent to read unrelated files, exfiltrate data, or perform unexpected network calls. It also enforces asking for explicit post IDs and returning CLI results verbatim.
!
Install Mechanism
There is no packaged install spec in the skill bundle, but SKILL.md instructs 'npm install -g @kiipu/cli'. Installing a global npm package can execute arbitrary install scripts and write code to disk. The registry/package provenance is not provided (no homepage or source repo), increasing supply-chain risk; verify the package and maintainer before installing.
Credentials
The skill declares no required environment variables or config paths. CLI examples reference an API key argument for auth, which is proportionate to a CLI that needs credentials; no unexplained credential requests are present.
Persistence & Privilege
The skill is instruction-only, does not request 'always' presence, and does not attempt to modify other skills or system-wide configs. It directs use of the local CLI and gives no privileged persistent behavior.
What to consider before installing
This skill itself is coherent: it expects you to run a local 'kiipu' CLI to manage posts. Before installing or running anything, verify the @kiipu/cli package and its publisher (check the npm page, source repository, maintainer identity, and package versions). Global npm installs can execute code during install — prefer reviewing the package source or running in a sandbox/container. If you must provide an API key, only do so to the verified CLI on a trusted machine and avoid pasting secrets into unknown web pages or chat logs. If you don’t want to install the CLI, ask for exact commands shown by the skill and run them locally yourself after verification.

Like a lobster shell, security has layers — review code before you run it.

latestvk976ye66rhrhe1jyfv2nnapwyn83vap2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments