ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Etalon Tech Scan

v0.9.5

Technology stack detection for any domain using the ETALON CLI. Identifies frameworks, CDNs, CMS platforms, analytics, payment systems, hosting providers, an...

0· 64·0 current·0 all-time
byNico Lumma@rednix
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The SKILL.md describes running the etalon CLI (etalon techscan <domain>) to detect frameworks, CDNs, analytics, hosting, etc., which matches the skill's name and description. The only minor inconsistency: the registry summary at the top of the package listed no required binaries, while SKILL.md declares etalon as a required binary. Requiring the etalon CLI is reasonable for this purpose.
Instruction Scope
Instructions are narrowly scoped to running etalon on given domains (single or batch), parsing output, comparing stacks, and optionally correlating with cost heuristics. There are no instructions to read arbitrary system files, exfiltrate secrets, or call unexpected external endpoints. The SKILL.md explicitly asks to confirm with the user before running scans.
Install Mechanism
This is an instruction-only skill (no install spec). SKILL.md instructs users to install etalon-cli via `cargo install etalon-cli` if needed. That is a normal user-managed install but involves network/download and compiling Rust code; the skill itself does not auto-download or write code to disk.
Credentials
No environment variables, credentials, or config paths are requested. The skill's needs (a local etalon binary) are proportionate to the stated functionality.
Persistence & Privilege
always:false and no special persistence or system modifications are requested. The skill does not request elevated or cross-skill configuration changes.
Assessment
This skill appears to do what it says: run the local ETALON CLI and parse its output. Before installing or using it: 1) Ensure you (or your agent) have the etalon-cli installed manually from the upstream repository (https://github.com/NMA-vc/etalon) and verify you trust that release (cargo will download/build code). 2) Confirm with any stakeholders before scanning domains you do not own—batch scans can probe third-party or internal hosts. 3) Note the small metadata mismatch: the top-level package summary lists no required binaries but SKILL.md requires the `etalon` CLI; make sure the agent environment actually has that binary or the skill will fail. 4) If you need stronger assurance, review the etalon repository and release artifacts (or use a packaged release from a trusted distribution) before installing. Otherwise the skill is coherent and proportionate to its purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk975h06ma9jsjap40fxkdk93m983a78w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments