ClawHub

DevRev

v1.0.0

Interact with DevRev to create/update issues and tickets, and search/query works and parts. Use when asked to create a DevRev issue or ticket, update an exis...

0· 530·0 current·0 all-time
byNimit Savant@nimit2801
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md clearly implements a DevRev REST API client (works.list, works.create, works.update, parts.list, etc.), which matches the skill's name and description. However, the registry metadata lists no required environment variables or primary credential while the SKILL.md explicitly requires a DEVREV_TOKEN PAT. That metadata omission is an inconsistency (could be a packaging error) and may prevent the platform from prompting for the token correctly.
Instruction Scope
Runtime instructions are limited to calling https://api.devrev.ai endpoints with curl and using the DEVREV_TOKEN for Authorization; they do not instruct reading arbitrary files, scanning the host, or sending data to other endpoints. The instructions stay within the expected DevRev integration scope.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to be written or executed on disk, which minimizes install-time risk.
Credentials
The SKILL.md requires a DevRev PAT (DEVREV_TOKEN), which is proportionate for the described API operations. The problem is that the skill's declared registry requirements list no environment variables or primary credential — a discrepancy that could lead to the token being requested ad-hoc or mishandled. Confirming least-privilege scopes for the PAT is recommended.
Persistence & Privilege
The skill does not request always:true and is user-invocable, with autonomous invocation allowed (the platform default). There is no evidence the skill modifies other skills or system settings. Note: because the source is unknown, autonomous invocation combined with missing metadata increases risk modestly, but not enough to mark this malicious.
What to consider before installing
This skill appears to be a straightforward DevRev API helper, but there are two things to check before installing: (1) the SKILL.md requires a DEVREV_TOKEN PAT but the registry metadata lists no required credential — verify whether the platform will prompt securely for the token or whether you must paste it into the agent manually; (2) the skill's source/homepage are unknown, so prefer obtaining an official skill from a trusted publisher. If you proceed, use a DevRev PAT with the minimal scopes needed, store it in a secure secret store (avoid pasting into chat), rotate/revoke tokens if needed, and consider testing with a low-privilege or test org account first. If the registry metadata can be corrected (adding DEVREV_TOKEN as required) and the author/source is verifiable, the risk is much lower.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ageqz4b9wf7120etvcdmhgh81crhj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments