ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ai-humanizer

v2.1.0

Humanize AI-generated text by detecting and removing patterns typical of LLM output. Rewrites text to sound natural, specific, and human. Uses 24 pattern det...

0· 149·0 current·0 all-time
by@penglovemeng·duplicate of @hades4501/ai-humanizer-2-1-0
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, README, SKILL.md, and included source (Node.js analyzer/humanizer, patterns, stats) are coherent: it is a local text analyzer/humanizer that uses 24 detectors and statistical checks. However there is a mismatch: the registry lists the skill as 'instruction-only' (no install spec and no required binaries) while the bundle contains a full Node.js CLI and a package.json that requires Node >=18. The skill claims 'zero dependencies' and 'works offline', but running the included code does require a Node runtime. This packaging/runtime inconsistency should be resolved before trusting the skill to function as described.
Instruction Scope
SKILL.md and other docs limit actions to scanning and rewriting text, computing stats, and optionally reading user-supplied files (via -f/--file). The instructions do not request unrelated system files, host credentials, or external endpoints. They do permit reading files provided as input (expected for a CLI tool), so confirm any file paths given at invocation are intended.
Install Mechanism
No install spec is provided (instruction-only), which is low risk. But the package includes executable scripts and source code (Node.js). If the agent or an operator attempts to run the included CLI, a Node runtime is required; there is no explicit 'required binaries' entry listing node. The absence of an install mechanism for bundled code is an inconsistency to verify: either the skill is truly instruction-only (and the code is informational) or it intends the agent to run local Node code and the manifest should declare that requirement.
Credentials
The skill requests no environment variables, credentials, or config paths. The code and docs claim offline/local operation with no API keys, which is consistent with the repository content (no network calls visible in the inspected snippets). Still, you should inspect the complete src files for unexpected outbound network calls if you plan to run the CLI on sensitive data.
Persistence & Privilege
Flags show default behavior (always: false, agent-invocable allowed). The skill does not request persistent or elevated privileges and does not indicate it will modify other skills or global agent settings.
What to consider before installing
This skill appears to be a local text humanizer/analyzer and the code in the bundle matches the described functionality, but there are a few things to check before installing or running it: - Packaging mismatch: the skill is labeled 'instruction-only' and lists no required binaries, yet the repository includes a Node.js CLI (package.json) and scripts that require node >= 18. Confirm whether the runtime will provide Node or whether the SKILL.md will be accompanied by the code at runtime. If you expect to run the included CLI, ensure you have Node 18+ installed. - Review the remaining source files (src/*) for any network activity or unexpected behaviors before executing on sensitive systems. The sampled files show no obvious external endpoints, but a full review is prudent. - When using the tool, be cautious with the file flag (-f): the CLI can read any file path you pass. Don’t pass sensitive system paths unless you intend to analyze them. - Verify the author/repository (package.json points to a GitHub URL) if provenance matters to you. If you need stronger assurance, run the tests locally (npm test) in a sandboxed environment before giving the skill access to real data. Given the mismatch between 'instruction-only' metadata and included Node.js code, treat this as suspicious until the author clarifies intended installation/runtime semantics or until you run the code in a controlled environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk9754j6pjyyvm32dm8skrkcg65832qy2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments