ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

atypica-user-interview

v1.0.0

Run AI-simulated user interviews and focus group discussions using atypica.ai's library of human-like personas. Each persona is an AI that behaves like a rea...

0· 43·0 current·0 all-time
by@owenrao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name/description (AI-simulated interviews) matches the included docs, API reference, and helper script which call atypica.ai endpoints. However, the registry metadata declares no required environment variables while the SKILL.md and the provided script clearly require an API token (ATYPICA_TOKEN / atypica_xxx) and an endpoint — this metadata omission is an incoherence that could mislead users about secret requirements.
!
Instruction Scope
SKILL.md instructs editing third-party client config files (e.g., Claude Desktop JSON in user AppData / Library paths) and exporting ATYPICA_TOKEN. It also provides a bash helper that will POST JSON to https://atypica.ai/mcp/universal and may write API responses to files. These steps reference and modify user-level application config and require storing an API token in environment or config files — actions outside a purely ephemeral, read-only skill scope and worth user scrutiny.
Install Mechanism
No install spec is present; the skill is instruction-heavy and ships a small helper script. There is no remote code download or extract step, and the script is plain bash that uses curl/jq. This is lower risk than fetching arbitrary binaries.
!
Credentials
The skill effectively requires an atypica API token (ATYPICA_TOKEN / 'atypica_xxx') but the registry lists no required env vars or primary credential. Requesting a bearer token that gives access to the service is proportionate to the functionality, but the omission in metadata and the instruction to persist the token (in env or client config JSON) are problematic: users need to know this up front and consider token scope/permissions before use.
!
Persistence & Privilege
always:false and the skill does not demand platform-level privileges, which is good. However, the runtime docs explicitly tell users to add atypica as an MCP server inside other client config files (e.g., Claude Desktop), which modifies another application's configuration. That cross-application config change increases persistence/privilege beyond a self-contained skill and should be done deliberately by the user.
What to consider before installing
Before installing or using this skill: - Expect to create an atypica.ai account and obtain an API key (format 'atypica_xxx'); the skill's metadata does not list this but the docs and script require it. - Prefer creating a dedicated, least-privilege API key (or a throwaway account) rather than reusing a high-privilege token. - Be aware the SKILL.md suggests storing the token in an environment variable or adding it to other apps' config files (e.g., Claude Desktop JSON). Storing tokens in plaintext config files grants that app access to your atypica account — review those files and their access permissions. - Review atypica.ai's privacy, data retention, and sharing behavior (reports produce public share URLs and signed CDN links). Don’t send sensitive or PII in prompts unless you accept those sharing/retention properties. - The included scripts use curl/jq and may write API responses to disk; inspect any output files before sharing. - If you decide to proceed, verify the endpoint (https://atypica.ai/mcp/universal) and consider testing with limited data or an account with constrained privileges first. If you want, I can extract the exact places the SKILL.md instructs you to edit (file paths and JSON snippets) and highlight every location the token would be stored or transmitted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97catv2rr0jt9r0hjh5wbxgy583jypv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments