ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Konektor - CAPI & Lead Management

v2.1.1

Access and manage marketing leads, update lead details, and retrieve analytics for lead performance and conversion tracking via Konektor API.

0· 249·0 current·0 all-time
byRama Aditya@ramaaditya49
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md describes a Konektor lead-management API (listing leads, creating leads, analytics) that legitimately requires an API key. However, the registry metadata for the skill declares no required environment variables or primary credential. That discrepancy (documentation requiring KONEKTOR_API_KEY vs metadata claiming none) is unexpected and incoherent.
Instruction Scope
The runtime instructions in SKILL.md are scoped to HTTP API calls to https://konektor.id and require a Bearer token and specific scopes. The document does not instruct reading unrelated system files or secrets beyond the KONEKTOR_API_KEY. The main issue is SKILL.md itself expects an env var that the registry did not declare.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — it does not write files or download packages, which is lower-risk from an install perspective.
!
Credentials
Requesting a KONEKTOR_API_KEY (scoped bearer token) is proportionate to a lead-management integration. The problem is the metadata omission: the skill claims to require no env vars while the documentation requires a secret. This mismatch could be an honest metadata error but also makes it unclear what credentials the skill will ask the agent to provide at runtime.
Persistence & Privilege
The skill is not always-enabled and uses default autonomous invocation settings. There is no indication it requests persistent system-wide changes or other skills' credentials.
What to consider before installing
Do not provide any real or high-privilege API keys to this skill until the metadata mismatch is resolved. Ask the publisher (or registry) to: 1) update the registry metadata to declare KONEKTOR_API_KEY as a required env var and specify the primaryEnv and exact minimal scopes; 2) provide a homepage or contact to verify authenticity. If you must test it, create a limited-scope, revocable API key (least privilege), use a test workspace or sandbox account, and run the agent in an isolated environment while monitoring outbound network traffic to verify it only contacts https://konektor.id. Revoke the test key immediately if behavior is unexpected. If the publisher cannot verify identity or fix the metadata, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk979t565q9h725kh039f32kx5s82ns6w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments