ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Wiki Js V3

v1.0.1

All-encompassing Wiki.js Administration – GraphQL + REST API wrapper with full coverage. Pages, Assets, Search, Tags, Tree, History, Versioning, Rendering. R...

0· 76·0 current·0 all-time
by@nyhx1101
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description describe a Wiki.js administration client and the included bin/wiki.js implements GraphQL, REST upload, pages/assets/tags operations that match that purpose. Minor inconsistency: registry metadata lists no required env vars while SKILL.md and the code require WIKIJS_URL and WIKIJS_TOKEN.
Instruction Scope
SKILL.md instructs using environment variables, optionally creating a CLI symlink, and reading files for uploads/upserts — all expected for a CLI admin client. It does not instruct reading unrelated system files or exfiltrating data to third-party endpoints.
Install Mechanism
The registry has no formal install spec; SKILL.md lists npm packages (graphql-request, form-data, node-fetch) but no automated installer. This is not harmful, but means the runtime dependencies must be installed by the user or platform; verify the environment provides them.
Credentials
The skill requires a Wiki.js URL and API token (WIKIJS_URL, WIKIJS_TOKEN) which are appropriate and necessary. The code enforces a token and uses it only for requests to the wiki endpoints. Required config path 'wikijs' is plausible. Ensure you use a key with minimum needed permissions (prefer read-only if you won't write).
Persistence & Privilege
No 'always: true' or elevated privileges requested. Optional instructions create a symlink in ~/.local/bin and chmod the bundled script — expected for providing a CLI wrapper and under user control.
Assessment
This skill appears to do what it says: a Wiki.js admin CLI that needs WIKIJS_URL and WIKIJS_TOKEN and will read files you give it (for uploads or @file upserts). Before installing: (1) only provide an API key scoped to the minimum permissions needed (avoid a full-admin key if you only need read/write on a subset); (2) review the full bin/wiki.js for any use of child_process.spawn or external commands (the script imports spawn — confirm what it's used for, e.g., PDF rendering may invoke external binaries); (3) be aware the SKILL.md asks you to create a symlink in ~/.local/bin (this modifies your user PATH); (4) install or verify the listed npm dependencies in a controlled environment; and (5) if you want stricter assurance, ask the maintainer for a signed release or a provenance explanation because the registry metadata omitted the required env vars. Overall this looks coherent for its purpose but validate API key scope and review the rest of the script before use.
bin/wiki.js:46
Environment variable access combined with network send.
!
bin/wiki.js:766
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dnsbm9p957c2zad33yhps6x83m51b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Configwikijs

Comments