ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

HPD Pipeline

v0.1.0

Use when the HPD lab needs a repeatable Planner -> Designer -> conditional Developer -> Tester flow for an approved idea, with Lobster-first and sequential f...

0· 59·0 current·0 all-time
by@omermesebuken1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (HPD pipeline) align with the SKILL.md stage contract and required outputs. Expectation to prefer a 'lobster' CLI and to generate images/CAD/source fits the described pipeline. However, the skill references external tools and outputs (openclaw image generate, Gemini API, Notion-first) that are not declared in the skill's requirements.
!
Instruction Scope
The instructions tell the agent to run external commands and APIs (try lobster on PATH; run 'openclaw image generate'; fall back to a 'Gemini API script' if image generation fails) and to write OpenSCAD and other artifact files to the workspace. They also require publishing outputs Notion-first. Those actions involve external integrations and writing files, but the skill does not enumerate what credentials or endpoints will be used or provide the fallback scripts — giving the agent broad discretion to call environment-integrated services.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes code-install risk.
!
Credentials
No environment variables, credentials, or config paths are declared, yet the SKILL.md expects use of external services (Gemini API, Notion) and CLIs (lobster, openclaw). Those services typically require API keys/credentials; the absence of declared env vars is a mismatch. If the agent environment already has those integrations, the skill would use them implicitly — which could lead to unintended data sharing.
Persistence & Privilege
always is false and there is no code that requests persistent/system-wide configuration or modifies other skills. The skill writes artifacts to its workspace per the contract, which is normal for this type of workflow.
What to consider before installing
This skill appears to be a coherent project pipeline, but it relies on external CLIs and APIs (lobster, openclaw image generation, Gemini API) and asks outputs to be 'Notion-first' while declaring no credentials. Before installing: (1) confirm whether your agent environment already has Lobster, OpenClaw, Gemini, or Notion integrations and what credentials they expose; (2) decide whether you are comfortable the agent may call those services and push project artifacts to Notion; (3) if you want to restrict access, run the skill in a sandbox or remove/disable integrations you don't trust; (4) ask the skill author to declare required binaries and environment variables and to provide any fallback scripts (e.g., the 'Gemini API script') so you can review them. If you cannot verify those integrations, treat the skill as capable of sending project data to external services and proceed cautiously.

Like a lobster shell, security has layers — review code before you run it.

factoryvk97f7311fp7zxe5x24yws5tht583tsw2hpdvk97f7311fp7zxe5x24yws5tht583tsw2latestvk97f7311fp7zxe5x24yws5tht583tsw2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧪 Clawdis

Comments