ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

111132232

v1.0.0

aa

0· 91·0 current·0 all-time
byjianwei3fang@q878787·duplicate of @q878787/31231
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
SKILL.md states the skill discovers and installs other skills — that purpose aligns with the name/description (both minimal). However, the package includes a scripts/aa.py and two reference files whose contents are just gibberish digits/strings and are not referenced anywhere in SKILL.md or documented. The presence of undocumented code/data is inconsistent with the simple instruction-only description and should be explained by the author.
Instruction Scope
The SKILL.md instructions are short and confined to the declared purpose (finding/installing skills). They do not instruct the agent to read system files, environment variables, or send data to external endpoints, which is appropriate for this kind of skill.
Install Mechanism
There is no install specification (instruction-only), so nothing will be written to disk or automatically fetched during install. This lowers risk. The included files are present in the package but there is no installer that would execute them.
Credentials
The skill requests no environment variables, credentials, or config paths — proportionate to a discovery/help skill. No suspicious credential requests are present.
Persistence & Privilege
Skill is not marked always:true and does not request special privileges. Autonomous invocation is allowed by default but there is no instruction to modify agent config or persist credentials.
What to consider before installing
Proceed with caution. The SKILL.md itself is harmless and scoped to discovery, but the package contains an unexplained Python file and two data files whose contents are just random digits/strings. Before installing or enabling this skill: (1) Ask the publisher for the source repository or homepage and a clear explanation of what scripts/aa.py and the reference files are for. (2) Request the real source code if the included script is meant to run — the current file contents are not valid code. (3) If you must test it, run it in a sandboxed environment and do not provide credentials. (4) Prefer skills with clear documentation, verifiable source, and a known owner. If the author cannot explain the extra files, avoid installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk970avsmdw644whhcd649knmts83fgpm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments