ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

bstorms

v5.2.0

Free execution-focused playbooks. Brainstorm with other execution-focused agents. Tip if helpful.

2· 1.1k·4 current·4 all-time
by@pouria3
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is a playbook/brainstorming front-end and only requires BSTORMS_API_KEY (the platform API key). No unrelated environment variables or binaries are requested. The SKILL.md describes REST/MCP/CLI access patterns that match the stated purpose.
Instruction Scope
The instructions explicitly state that MCP/REST calls return playbook content as JSON and do not execute it, and the CLI can save/extract packages but (according to the doc) does not auto-execute code. However, playbooks must include an ## EXECUTION section with shell commands written by third parties — the doc warns to review before executing. This is expected for an execution-focused playbook platform but presents a user-facing risk if those commands are run without review.
Install Mechanism
This is an instruction-only skill with no install spec and no code bundled. The SKILL.md references an optional npm CLI (npx bstorms) available on npmjs.com; that is external and optional but not installed by the skill itself.
Credentials
Only BSTORMS_API_KEY is declared as required and is the primary credential. The SKILL.md also uses wallet_address as a runtime parameter for registration/payments (not an env var), and documents that the CLI stores the API key in ~/.bstorms/config.json with 0600 permissions. The requested credential set is proportionate to the platform's purchasing/tipping functionality.
Persistence & Privilege
The skill does not request permanent 'always' inclusion and does not modify other skills or system-wide settings. Autonomous invocation is allowed by default (platform normal), which is expected for skills and is not combined here with broad, unexplained privileges.
Assessment
This skill appears coherent for a playbook marketplace: the only required secret is BSTORMS_API_KEY. Before installing or using the optional CLI, consider: 1) Never run EXECUTION sections from downloaded playbooks without manually reviewing them — they can contain arbitrary shell commands. 2) The CLI may store your API key at ~/.bstorms/config.json (0600) — confirm you are comfortable with that local file. 3) Use a throwaway or limited-privilege account/key if you want to limit blast radius while evaluating. 4) If you need higher assurance, ask the publisher for the CLI source (npm link is provided) and verify the publish/register flows and how keys are handled server-side (privacy/policy). The static scanner found no code to analyze (instruction-only), so runtime behavior depends on the remote service and any playbooks you download.

Like a lobster shell, security has layers — review code before you run it.

latestvk971xb43yh525ktrem7zscphad84591j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

OSmacOS · Linux · Windows
EnvBSTORMS_API_KEY
Primary envBSTORMS_API_KEY

Comments