Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Laravel Package Search
v2.0.3Real-time Laravel package search via Packagist API with local cache. Supports 22 scenes, quality scoring, and cross-references to laravel-docs-reader for off...
⭐ 0· 55·0 current·0 all-time
byGao.QiLin@relunctance
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md repeatedly describes a PHP CLI tool (scripts/search.php), local cache (scripts/.cache.json), and real-time Packagist API calls. The skill bundle contains no PHP script or any code files to implement that behavior, and the metadata does not declare PHP (php CLI) as a required binary. A consumer expecting a runnable CLI/search tool would not get one from this bundle.
Instruction Scope
Runtime instructions tell the agent to run `php search.php`, create/read a cache file at scripts/.cache.json, and call Packagist as well as cross-reference another skill (laravel-docs-reader). Because the actual script is not included, the instructions either expect the agent to implement or fetch code at runtime (not documented) or assume a preexisting environment. The instructions also assume filesystem write access and outbound network access (Packagist), which are not declared or controlled by the manifest.
Install Mechanism
There is no install spec (instruction-only), which is low-risk from an install-footprint perspective. However, the absence of shipped code means the documented runtime behavior cannot be validated from the bundle itself — the skill is effectively a spec, not an implementation.
Credentials
The skill declares no required environment variables or credentials (proportionate). That said, the SKILL.md references creating composer require commands and sample config env('PACKAGE_KEY') for downstream packages, which are unrelated to this skill's own operation. The skill will need network access to Packagist and a PHP runtime to operate as documented; neither is declared.
Persistence & Privilege
The skill does not request always:true or any persistent privileges. It does instruct creating a local cache file under scripts/.cache.json if the CLI existed, which is limited scope and not elevated privilege.
What to consider before installing
This bundle is inconsistent: the SKILL.md describes a PHP-based CLI (scripts/search.php) and a local cache file, but the package contains no script or code and does not declare PHP as required. Before installing or enabling this skill: (1) Ask the publisher for the missing code (scripts/search.php) or an explanation of how the agent is expected to execute the described CLI. (2) Verify that a PHP runtime will actually be available where the agent runs; otherwise the documented commands cannot run. (3) If you plan to run any provided PHP script, review its source first — the SKILL.md expects the script to read/write scripts/.cache.json and perform outbound Packagist requests, so run it in a sandbox or restricted environment with limited filesystem/network access. (4) If the author supplies the missing code, re-run a content review: verify no hardcoded endpoints, secrets, or unexpected network calls are present and ensure the script only contacts packagist.org and documented resources. If you cannot obtain the code or a satisfactory explanation, treat this skill as non-functional and do not enable it for autonomous use.Like a lobster shell, security has layers — review code before you run it.
latestvk97dpydqea9858n6pvvtszc42983reds
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
