Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Assetflow
v1.0.0Organize and store digital assets across cloud providers with automated workflows. Use when the user needs DAM integration, file organization, or asset metad...
⭐ 0· 56·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The README claims native integrations with many providers (AWS S3, Google Drive, Azure, Dropbox, Adobe AEM, Slack, OCR/face detection, etc.) but the declared required env vars are just ASSETFLOW_DAM_API_KEY, ASSETFLOW_STORAGE_PROVIDER, and ASSETFLOW_WORKSPACE_ID. Real integrations normally require provider-specific credentials (AWS_ACCESS_KEY/SECRET, GCP OAuth tokens, Slack webhook token, Adobe API keys, vision/AI service credentials). This mismatch suggests the declared requirements are incomplete or the skill will request additional secrets at runtime.
Instruction Scope
SKILL.md is large and describes workflows that imply reading, moving, and uploading many user files and metadata across external services. As an instruction-only skill, its runtime behavior depends entirely on those prose directions; the visible instructions provide broad discretion (automated workflows, scheduled jobs, approvals, OCR, face detection). The doc likely expects the agent to access user assets and call external APIs; the SKILL.md does not clearly limit where credentials come from or explicitly enumerate all external endpoints or env vars it will access.
Install Mechanism
No install spec and no code files — lowest risk in terms of automatic code execution on install. All runtime behavior arises from the instruction text and the agent invoking APIs or user tools.
Credentials
The number and specificity of requested environment variables is small and generic for a skill that claims to integrate with many external services. The declared env vars do not cover provider-specific credentials or AI/vision services implied by features (OCR, face detection). This is disproportionate and leaves open how additional credentials will be supplied or used.
Persistence & Privilege
always is false and there are no requested config paths or claims to modify other skills or system-wide settings. Autonomous invocation is allowed (default), which is normal — but combined with the other concerns it increases potential impact if the skill requests or uses additional credentials at runtime.
Scan Findings in Context
[no-findings] expected: The package is instruction-only (SKILL.md) so the regex-based scanner had no code to analyze. Absence of findings is not evidence of safety; the runtime behavior is determined by the prose.
What to consider before installing
This skill describes broad DAM, storage, and AI-driven features but only declares a few generic environment variables — ask the publisher for a complete list of required credentials and a clear description of what external APIs/endpoints the skill will call. Before installing, verify: (1) which provider credentials are required and whether you can supply least-privilege service accounts (e.g., S3 read/write limited to specific buckets, scoped OAuth tokens for Drive), (2) whether asset data or metadata will be sent to third-party endpoints (and which ones), (3) whether OCR/face-detection uses your cloud account or a third-party service, (4) how the skill requests credentials at runtime (env vars vs interactive prompts) and whether it stores them, and (5) test first in an isolated environment with non-sensitive assets. If the publisher cannot provide a full runtime spec (all env vars, endpoints, and credential handling), treat the skill as potentially unsafe and avoid granting broad credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97a2c7ry9naj3nekzjdrwd53s83k3qs
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📦 Clawdis
OSmacOS · Linux · Windows
EnvASSETFLOW_DAM_API_KEY, ASSETFLOW_STORAGE_PROVIDER, ASSETFLOW_WORKSPACE_ID