ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bit URL Shortener

v1.0.5

Explain bit-cli skill purpose, installation, required setup, and troubleshooting.

0· 218·0 current·0 all-time
byParin Lai@parinll
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Bit URL Shortener / bit-cli docs) align with the declared needs: a 'bit' binary and an API key. The declared Go install module (github.com/ParinLL/bit-cli) and the listed binaries (bit, go, git) are appropriate for building and using a CLI.
Instruction Scope
SKILL.md is documentation-only and instructs building from GitHub, setting BIT_API_KEY, and optionally BIT_API_URL. It does not request access to unrelated files or secrets. Minor issue: BIT_API_URL is described as an optional env var in the docs but is not listed in the skill's declared required env variables (metadata only lists BIT_API_KEY).
Install Mechanism
Install uses the Go module path (go build/go install) and the repo on GitHub; this is a normal public source install path. No downloads from untrusted/personal IPs or archive extracts are present. The SKILL.md also suggests building from source and reviewing the repo first.
Credentials
Only BIT_API_KEY is declared as required and is appropriate for an API client. The documentation mentions an optional BIT_API_URL but that variable is not listed in the metadata fields; this mismatch should be corrected. The skill metadata also requires 'sudo' as a binary, which is not strictly necessary for using the CLI (only for moving a built binary into /usr/local/bin during installation) — note the elevated privilege implied by that install step.
Persistence & Privilege
The skill does not request always: true or any persistent elevated privileges. It is user-invocable and allows autonomous model invocation (platform default), which is expected for a skill. There is no indication it tries to modify other skills or system-wide settings.
Assessment
This skill is documentation-only for a CLI named 'bit' and is largely coherent, but check a few things before you install or use it: - Inspect the upstream repository (github.com/ParinLL/bit-cli) yourself before building. The SKILL.md even recommends reviewing the repo first. - The docs mention an optional BIT_API_URL (default http://localhost:4000) but the skill metadata only declares BIT_API_KEY — be aware of this mismatch and set BIT_API_URL explicitly if you need a remote service. - Building and installing to /usr/local/bin uses sudo (administrator privileges). Prefer installing to a user-local bin (~/bin) or use 'go install' into your Go bin directory if you want to avoid running commands as root. - Treat BIT_API_KEY like any secret: do not store it in shared scripts or commit it to source control; consider least-privilege API keys and rotation. - Verify the Go module and GitHub owner are trustworthy before running 'go build' or 'go install'. If you cannot verify the source, consider obtaining a prebuilt binary from a trusted release channel or avoiding installation. Given these checks, the skill appears to do what it claims and does not contain instructions that access unrelated credentials or system areas.

Like a lobster shell, security has layers — review code before you run it.

bitvk974nmb4mdna9frbevkstsfpj182yhkwclivk974nmb4mdna9frbevkstsfpj182yhkwlatestvk974nmb4mdna9frbevkstsfpj182yhkwurl-shortenervk974nmb4mdna9frbevkstsfpj182yhkw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsbit, git, go, sudo
EnvBIT_API_KEY
Primary envBIT_API_KEY

Install

Install bit via Go
Bins: bit
go install github.com/ParinLL/bit-cli

Comments