ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Super Powers AI

v1.0.4

Install and run the published SuperPowers desktop streamer npm package. Use when a user needs a portable ClawHub skill that installs the third-party npm pack...

0· 63·1 current·1 all-time
by@rohanarun
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the implementation: the helper installs the npm package superpowers-ai into .superpowers/npm and runs its CLI. It does not request unrelated environment variables or attempt global installs. The pin to a single package name and the claimed provenance are consistent with the code.
Instruction Scope
SKILL.md and the helper script stay within the stated scope (install, login, start/stop, whoami, logout). The main risk is inherent: the helper installs and then executes an unreviewed third‑party package (no source edits). The instructions do not read unrelated files or request unexpected env vars, but the runtime package may prompt for email/phone verification and will talk to its backend.
Install Mechanism
There is no separate install spec; the runtime script executes npm install --prefix into the skill's state directory. That is an expected, low-friction approach, but installing a package from the public npm registry at runtime means arbitrary code from that package will run. The script retries with a temp npm cache if needed — nothing unusual but it performs network downloads.
Credentials
The skill declares no required environment variables or credentials, which matches the files. However the script uses the user's current npm configuration and environment when invoking npm/node (process.env is forwarded). If the user has registry auth tokens or sensitive npm config (~/.npmrc or env vars) those could influence the install or be used during runtime. The package itself will ask for login credentials (email/phone) — that is expected, but those credentials go to the package's backend, not the skill.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and confines files to its own .superpowers state directory. It uses normal local permissions and does not perform system‑wide changes.
Assessment
This skill is internally coherent, but before running it be aware it will download and execute the third‑party npm package superpowers-ai (you are not given its source as part of the skill). That package may contact its own backend, ask for email/phone verification, and require screen/capture permissions on macOS. Recommended precautions: - Inspect the package and maintainer on npm (publisher: superpowersai, maintainer email listed in SKILL.md). Check the package homepage/repo and recent releases. - If you keep registry auth tokens or sensitive settings in your npm config (~/.npmrc or env vars), either remove them or run the helper in a disposable environment (VM/container) so tokens cannot be used by the install or package. - If you want to audit code before running, download the package (npm pack or view its repo) and review the bin/entrypoint referenced by the helper (bin/supers.js) before running it. - For maximum safety, run the workflow in an isolated machine or sandbox, and avoid handing production credentials or personal phone/email you don't want tied to a third‑party service. If you trust the superpowersai publisher and are comfortable with these supply‑chain risks, the skill behaves as described.
scripts/install_and_run.js:84
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Plugin bundle (nix)
Skill pack · CLI binary · Config
SKILL.mdCLIConfig
Config requirements
State dirs.superpowers
CLI help (from plugin)
node scripts/install_and_run.js --help
node scripts/install_and_run.js
node scripts/install_and_run.js --start
node scripts/install_and_run.js --stop
latestvk97fm01s3w9rdbqc6svnj791c184d9sk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Config example

Starter config for this plugin bundle.

config = {

};

Comments