ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Kyndlo Events

v3.5.0

WORKFLOW-DRIVEN event creation and validation from Kyndlo campaign tasks. When invoked, the agent MUST follow the mandatory step-by-step onboarding flow belo...

0· 143·0 current·0 all-time
byCarlos Martin@pirumpi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (Kyndlo event creation/validation) align with required KYNDLO_API_TOKEN and gokyn CLI usage. However SKILL.md also relies on Google Places ('goplaces' / GOOGLE_PLACES_API_KEY) for venue discovery — that credential is NOT declared in the registry metadata, which is inconsistent.
!
Instruction Scope
The runtime instructions instruct the agent to run multiple gokyn CLI commands (whoami, task campaigns/cities/rules, etc.) — appropriate for the function — but also mandate strict workflows and require use of a separate goplaces tool and Google Places API key. The instructions ask the agent to read and 'internalize' rules from gokyn task rules and to follow them strictly; they also tell the agent to install and run binaries. The un-declared Google Places dependency and the rigid, automated workflow expand the agent's external-network footprint beyond what's declared.
Install Mechanism
The registry summary says 'No install spec — instruction-only', but SKILL.md contains an 'install' entry suggesting npm install -g gokyn. This mismatch means it's unclear whether the platform will auto-install gokyn or expect it present. The install method (npm gokyn) itself is reasonable, but the discrepancy should be clarified before installation.
!
Credentials
Declared required env var is only KYNDLO_API_TOKEN (appropriate). SKILL.md, however, instructs setting GOOGLE_PLACES_API_KEY for venue discovery — an additional sensitive credential not declared in metadata. That undeclared requirement is a proportionality and transparency issue. No other unrelated credentials are requested.
Persistence & Privilege
Skill is user-invocable, not always-enabled, and allows autonomous invocation by default (normal). It does not request system-wide config paths or permanent 'always' presence. No evidence it modifies other skills or system-wide settings.
What to consider before installing
This skill appears to do what it says (drive Kyndlo event creation via the gokyn CLI) but has clear inconsistencies you should resolve before installing: 1) Ask the publisher to explicitly list all required environment variables (KYNDLO_API_TOKEN and GOOGLE_PLACES_API_KEY if goplaces is actually used). 2) Confirm the install behavior: will the platform install the npm 'gokyn' package automatically or do you need to install it yourself? 3) Review the linked repository and the gokyn npm package to verify authorship and inspect what network calls the CLI makes (so you understand what data the KYNDLO token and the Google key will be sent to). 4) Prefer giving the skill minimal-scope credentials (tokens limited to required API scopes) and test in a non-production account first. 5) If you need stronger assurance, request the publisher to update the registry metadata so declared requirements match the SKILL.md (especially the Google Places dependency) and to explain why any additional credentials are necessary.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cgchv6da3b7m7e05xvkd07d8433vh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎉 Clawdis
OSmacOS · Linux
Binsnode, gokyn
EnvKYNDLO_API_TOKEN
Primary envKYNDLO_API_TOKEN

Comments