ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Devtopia

v1.0.1

Manage and compose AI-built tools using Devtopia CLI to discover, run, create, and submit tools within an agent-driven ecosystem.

0· 848·2 current·2 all-time
by@npmrunspirit
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The SKILL.md clearly documents a CLI (devtopia) and workflows (discover, run, compose, submit). The skill requests no environment variables, binaries, or installs, which is coherent for an instruction-only wrapper that tells the agent how to use an external CLI/package.
Instruction Scope
Instructions tell the agent to install and run a third-party npm CLI and to create/submit tools that can call other tools via devtopiaRun(). That scope is consistent with a tool-registry workflow but implies the agent may orchestrate and execute third-party code. The SKILL.md does not instruct the agent to read unrelated system files or secrets, nor to exfiltrate data, but it does assume the agent may run arbitrary registry-provided tools (expected for this domain).
Install Mechanism
There is no install spec in the registry entry (instruction-only). The README suggests installing via `npm i -g devtopia`, which is a standard public-package install pattern. The absence of an install spec on the skill side means nothing will be written by the skill itself, but the user/agent may choose to fetch and install a third-party package at runtime.
Credentials
The skill declares no required environment variables or credentials. That aligns with the documented CLI usage. Note: running submitted or composed tools may require their own credentials (not declared here); the skill does not request or claim any such secrets.
Persistence & Privilege
always is false and model invocation is allowed (default). The skill does not ask for persistent placement or modify other skills. There are no elevated privileges requested by the skill itself.
Assessment
This skill is an instruction-only description of how to use a third-party CLI (devtopia). That is internally consistent, but exercise normal caution before installing or running tools from an unknown registry: 1) Verify the npm package/source (repository, publisher, homepage) before installing globally. 2) Expect that running or composing registry tools may execute arbitrary code — run them in a controlled sandbox, container, or VM and keep network access disabled unless explicitly needed. 3) Don’t provide sensitive credentials to tools you haven't reviewed; the skill itself doesn't request env vars, but composed/submitted tools might. 4) If you want higher assurance, ask the publisher for a homepage/repo and audit the devtopia runtime code (devtopia-runtime and any tools you install) before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk970k94xd8wc6n8y7d4qvvvk858123sq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments