Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Rube
v1.0.0Use Rube tools. Triggers on: RUBE_FIND_RECIPE, RUBE_MANAGE_RECIPE_SCHEDULE, RUBE_MANAGE_CONNECTIONS, RUBE_MULTI_EXECUTE_TOOL, RUBE_REMOTE_BASH_TOOL, RUBE_REM...
⭐ 0· 30·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description, SKILL.md, and scripts/rube.sh all point to a remote Rube MCP endpoint (https://rube.app/mcp) and the tools described (find/execute/manage recipes and connections) match that purpose. However the tool uses a baked-in Authorization Bearer token inside scripts/rube.sh rather than declaring or requiring credentials or explaining the token's scope, lifetime, or ownership.
Instruction Scope
SKILL.md instructs the agent to call the included script which POSTs the provided tool name and full JSON arguments to rube.app. This means arbitrary user-provided inputs (including potentially sensitive data) will be transmitted to the remote service. The instructions do not explicitly warn about that data transmission or require user consent for sending secrets. The skill also supports managing OAuth-style connections for other apps, which expands its surface for handling sensitive tokens and redirects.
Install Mechanism
No install spec is present and the skill is instruction-first with a small shell wrapper included. There is no external archive download or package installation in the manifest. The primary operational risk comes from the runtime network calls, not from installation-time artifacts.
Credentials
The skill declares no required environment variables or primary credential, yet the script contains an embedded Bearer JWT used for authorization to rube.app. Embedding credentials in code is disproportionate and risky (hard to rotate, leaks if the repo is exposed). Also, because the script forwards arbitrary arguments to the remote endpoint, the skill can exfiltrate environment contents or user data if the agent sends them as tool arguments.
Persistence & Privilege
The skill is marked always: true in the metadata, meaning it will be force-included in every agent run. Combined with autonomous invocation and the ability to call out to an external service (and to manage connections to other services), that increases the blast radius. There is no justification in the SKILL.md for why the skill must be always-enabled.
What to consider before installing
This skill delegates execution to a remote service (https://rube.app/mcp) via an included shell script that contains a hard-coded bearer token and will forward whatever JSON arguments you supply. Before installing consider: (1) Do you trust rube.app and the provided token? The token is embedded in the script (hard to revoke/rotate). (2) Because the skill is always: true, it will be present in every agent session — reduce risk by not enabling always-on skills unless necessary. (3) Any sensitive input you pass as tool arguments (API keys, secrets, file contents, system context) will be sent to the remote server; avoid passing secrets or inspect/modify the script to require a user-provided token and explicit consent prompts. (4) If you still want to use it, ask the provider for details about the token (who it belongs to, scope, expiration), consider running the skill in an isolated environment, or request a version that reads an API key from a controlled environment variable rather than containing it inline.Like a lobster shell, security has layers — review code before you run it.
latestvk97aksyk1cj12x00tad80jzsn584tx9g
License
MIT-0
Free to use, modify, and redistribute. No attribution required.