ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ravi identity

v2.1.1

Get your agent identity (email, phone, owner name) and manage identities. Do NOT use for reading messages (use ravi-inbox), sending email (use ravi-email-sen...

0· 514·1 current·1 all-time
byRaunak Singwi@raunaksingwi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description match the SKILL.md: it only manages identities (email, phone, owner) and lists CLI commands for those actions. However, the skill does not declare any required binaries or credentials while the runtime instructions assume a local 'ravi' CLI and an auth/login step — this mismatch should be clarified.
Instruction Scope
Instructions are narrowly scoped to running 'ravi' CLI commands (auth status, get email/phone/owner, list/create/use identity). They do not instruct reading unrelated files or exfiltrating data. The SKILL.md does instruct using 'ravi auth login' for onboarding, which implies an auth flow and local credential storage.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing is written to disk by the skill bundle itself (lower install risk).
Credentials
The skill declares no environment variables or primary credential, but the documented workflow relies on a local 'ravi' CLI and an auth/login process — which will likely produce or use local credentials/tokens. The absence of declared secrets is an internal inconsistency to verify.
Persistence & Privilege
The skill is not always-enabled and uses normal autonomous invocation settings (default). It does not request elevated platform-wide persistence. Be aware that autonomous invocation plus the ability to create identities could have real-world cost/privacy implications if allowed without user confirmation.
What to consider before installing
Before installing: confirm where the 'ravi' CLI comes from and whether you trust that provider (registry source is unknown); verify how 'ravi auth login' stores credentials locally and whether tokens are kept in system files; understand that creating identities may require a paid plan and produces real email/phone resources; ask the skill author or registry to declare the required binary and any expected auth/credential flows; consider restricting autonomous invocation or requiring explicit user consent for actions that create identities or perform billing-related operations.

Like a lobster shell, security has layers — review code before you run it.

latestvk978scanvq567kp18dcjy091d984e0ex

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments