ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Glow

v1.0.3

Help your human find meaningful connections through private introductions — dating, friendships, activity partners, or professional networking. Use when the...

2· 128·0 current·0 all-time
byRob Meadows@robmeadows
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is a social/introductions connector and only asks for curl and a single API key (GLOW_API_KEY). Those requirements match the described REST/API and MCP flows and are proportionate to the stated purpose.
Instruction Scope
SKILL.md describes registering agents, polling for intros/messages, performing actions (accept/decline/message), and optional webhook usage. All referenced endpoints and actions align with a matchmaking service. The instructions do require access to the user's Glow messages/intros (expected for this type of skill) but do not instruct reading unrelated system files or other environment variables.
Install Mechanism
This is an instruction-only skill with no install spec or downloaded code. That minimizes on-disk execution risk. It does reference an npm-style install command (npx skills add talktoglow/glow) but provides no installer that fetches arbitrary code as part of this package.
Credentials
Only a single credential (GLOW_API_KEY) is required and is documented as the primary credential. Requiring an API key for a REST-based service that accesses private messages/intros is proportionate. The SKILL.md does not request unrelated secrets or other system credentials.
Persistence & Privilege
The skill is not always-on (always:false) and uses default autonomous invocation behavior (disable-model-invocation:false), which is normal for skills. There is no indication it modifies other skills or system-wide settings.
Assessment
This skill appears internally consistent, but you should still treat the Glow API key as sensitive: only provide it to trusted agents/clients, store it securely (not in shared scripts), and rotate/revoke it if you stop using the skill. Confirm that the domain in requests matches agents.talktoglow.com (as the SKILL.md warns). If you plan to enable polling/heartbeat, ensure your deployment's polling frequency and data retention policies meet your privacy expectations. Finally, consider using the MCP/OAuth path (no API key stored) if your client supports it — it's safer than placing the API key in environment variables.

Like a lobster shell, security has layers — review code before you run it.

latestvk9772z762g3m1zya6av3959dv583y9ev

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl
EnvGLOW_API_KEY
Primary envGLOW_API_KEY

Comments