ClawHub

Skill Publisher Verifier

v1.1.1

Check a ClawHub publisher's trust score before installing their skill. Returns TRUSTED, ESTABLISHED, NEW, or FLAGGED based on public signals. Free taster — f...

0· 121·0 current·0 all-time
by@ordo-tech
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description match what the SKILL.md and README instruct: fetch public ClawHub profiles and run web searches to produce a trust score. Required tools (web_fetch, web_search) are appropriate and no extra credentials or unrelated binaries are requested.
Instruction Scope
Instructions confine actions to fetching ClawHub profile pages and running web searches. One minor documentation inconsistency: the lite SKILL.md/free docs state only 3 free signals (no install volume), while SKILL-FULL describes additional signals (installs, stars, associations) that may rely on privileged or aggregated data not available from a single public profile; this is a product/feature distinction rather than an evidence of malicious behavior.
Install Mechanism
No install spec and no code files — instruction-only skill. No downloads or archive extraction are present, so there is no install-time code risk.
Credentials
The skill requires no environment variables or credentials. The requested access (network/web fetch and search) is proportionate to the stated purpose of verifying public publisher signals.
Persistence & Privilege
The skill does not request permanent presence or elevated privileges (always is false). It does not modify other skills or system configuration. Autonomous invocation is allowed by default but is not combined with any broad credential access.
Assessment
This skill is instruction-only and uses only public ClawHub profile pages plus web searches to produce a trust label; it does not ask for credentials or install code. Before relying on it: (1) understand the free vs paid signal gap — the free version only checks 3 signals and may return NEW when data is incomplete; (2) review any FLAGGED findings the agent surfaces manually (follow links) before installing a skill; (3) ensure your agent's web_fetch/web_search tools are trusted and network access is intentionally enabled; and (4) treat its output as advisory rather than definitive, especially when the skill reports NEW due to missing data or network errors.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cve7hzjcpz0n677s639z24984gp9m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments