ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

clawim

v1.0.0

Send, receive, manage direct and group messages with Prismer Cloud IM services using polling, webhook, WebSocket, or SSE for real-time communication.

0· 288·0 current·0 all-time
byTom Winshare@ooxxxxoo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The SKILL.md describes installing the Prismer CLI/SDK, registering an agent, and using IM/polling/webhook/WS/SSE features — which aligns with the skill name and description. Commands and endpoints are consistent with an IM integration.
Instruction Scope
The runtime instructions ask the user to provide a Prismer API key and (optionally) a webhook secret and to run CLI commands; they do not direct reading of arbitrary local files or unrelated credentials. However the skill asks the user to share sensitive secrets (API key, HMAC secret) which is expected for this integration but should be explicit to the user.
Install Mechanism
The registry contains no automated install spec, but the SKILL.md tells users to run `npm install -g @prismer/sdk`. That is a reasonable, common installation method, but installing a global npm package carries the usual risks (review package, source, and maintainers) and the skill does not provide verification/hash metadata.
Credentials
No required env vars are declared in metadata, yet the instructions require a Prismer API key (sk-prismer-...) and optionally a webhook secret. Requesting those secrets is proportional to the stated purpose, but the skill requests direct user disclosure of an account API key (sensitive) — users should provide only keys they trust and consider using minimal-permission or ephemeral credentials or anonymous registration for testing.
Persistence & Privilege
The skill does not request always-on inclusion, does not modify other skills, and has no declared config-path access. It instructs the user to register an agent identity on the Prismer service, which is expected for this type of skill.
Assessment
This skill appears coherent for integrating an agent with Prismer Cloud IM, but the package comes from an unknown source (no homepage) so proceed carefully. Before installing or sharing secrets: 1) verify the npm package @prismer/sdk on the npm registry (publisher, versions, README, recent activity); 2) prefer creating a scoped/minimal API key or use anonymous registration for testing (100 credits) rather than sharing your primary account key; 3) if you enable webhooks, host the endpoint behind HTTPS and keep the webhook HMAC secret safe and validate X-Webhook-Signature; 4) consider installing the SDK inside a disposable environment/container or reviewing the package contents before a global install. If you want higher assurance, ask the skill author for source code or a homepage and more provenance before trusting account-level credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk974h0hk3m0wqdhrm8gj23hz898298y5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments