ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Release Guard

v1.0.0

Validate a local skill folder before publishing or sharing it. Use when Codex is about to release a skill, publish to ClawHub, audit SKILL.md quality, check...

0· 59·0 current·0 all-time
by@neo1307
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description say it validates a local skill folder; the included script inspects SKILL.md frontmatter, folder name, clutter files, and checks JS syntax — all coherent with that purpose.
Instruction Scope
SKILL.md instructs running the included script which only reads files under the target skill directory, runs Node's syntax check on JS files, and writes a JSON report to the specified output path. There are no network calls, no reading of unrelated system files, and no execution of untrusted scripts.
Install Mechanism
This is an instruction-only skill with a small helper script; there is no install step, no external downloads, and no packages pulled from registries.
Credentials
The skill requires no environment variables, credentials, or special config paths. The script only operates on the directory passed via --skill and the output path passed via --out.
Persistence & Privilege
The skill does not request persistent/always-on privileges, does not modify other skills' configs, and only writes the specified output JSON (creating parent directories as needed).
Assessment
This tool appears safe and does what it says: it inspects a local skill folder and writes a JSON checklist. Before running, verify you pass the correct --skill and --out paths so it doesn't overwrite important files, and be aware the script will create the output directory if it doesn't exist. Note a small mismatch in the SKILL.md example path vs the provided script location (the SKILL.md example references skills/skill-release-guard/..., while the file here is scripts/check_skill_release.js) — ensure you invoke the correct path in your environment.
scripts/check_skill_release.js:33
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk972e5j7fkqh5tskncyr91fw3h839559

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments