ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Dependencies

v1.0.0

Track and manage dependencies between OpenClaw skills. Scan skills for dependencies, visualize skill trees, detect circular dependencies, and manage skill versioning. Use when analyzing skill relationships, checking which skills depend on others, or managing skill installations.

0· 1.7k·9 current·9 all-time
by@myrodar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The scripts implement dependency scanning, conflict detection, tree display and installation from ClawHub which matches the description. However the metadata declares no required binaries/environment but the scripts rely on external tools (curl, jq) and optionally the clawhub or openclaw CLIs; this is a modest mismatch between declared requirements and actual needs.
Instruction Scope
Runtime instructions and scripts operate on SKILL.md/skill.json files in expected skill directories and call the ClawHub API for remote metadata. They do not read or transmit unrelated system files, nor do they exfiltrate local SKILL.md contents to remote endpoints. The scope stays within managing and installing skills.
Install Mechanism
There is no formal install spec; the skill is provided as shell scripts. The install behavior (skill-install.sh) queries https://clawhub.com/api and relies on external CLIs or direct guidance to run openclaw/clawhub. Downloading or executing arbitrary archives is not present, but network access is required for installs.
Credentials
The skill does not request secrets or credentials in metadata. Scripts use standard environment values (HOME, PATH) and call external CLIs; no disproportionate credential access is requested or used.
Persistence & Privilege
The skill is not always-enabled and does not modify other skills' configuration files itself; it can invoke install operations via existing CLIs, which is appropriate for a package manager-like utility.
Assessment
This skill appears to do what it says (scan skill directories, show dependency trees, and help install from ClawHub). Before installing or running the scripts: 1) Inspect the scripts locally (they are plain shell) and ensure you are comfortable running them. 2) Ensure required tools are available (curl and jq are used; openclaw or clawhub CLIs are optional but referenced). The metadata did not declare these dependencies — that mismatch can cause failures. 3) Be aware skill-install.sh makes network requests to https://clawhub.com/api to fetch metadata; verify that endpoint is trusted in your environment. 4) Run in a sandbox or non-critical environment first (these scripts will call system-installed CLIs and may prompt you to run install commands). If you need higher assurance, ask the author for source/origin and a declared list of required binaries (curl, jq, any CLI tool) before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk975q5v43c2f92p9xb60aq042980mat1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments