Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Humanizer AI
v1.0.1Humanizer AI CLI. Detect AI-generated text and humanize it to bypass GPTZero, Turnitin, Originality.ai, Copyleaks, ZeroGPT, and Winston AI. Rewrite AI conten...
⭐ 1· 216·0 current·0 all-time
byRomain SIMON@romainsimon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (detect and humanize AI text) aligns with the files, package.json, and required binaries. The skill requires an API key and an API URL which are exactly what a remote-API-backed CLI would need. The declared binary name ('humanizerai') and npm package match the package.json and bin entry.
Instruction Scope
SKILL.md and the code instruct the agent to read text from flags, files, or stdin and POST it to /detect or /humanize on the configured API — this is consistent with the stated purpose. Note: the runtime behavior necessarily transmits full user text to the third‑party service; that is expected for this functionality but is an important privacy/data-exfiltration consideration.
Install Mechanism
Install is via the npm package 'humanizerai' (package.json present). This is a typical install mechanism for a Node CLI. No obscure download URLs, shorteners, or extract-from-unknown-host steps are present in the spec or files.
Credentials
The skill requires two environment variables: HUMANIZERAI_API_KEY (primary credential) and optional HUMANIZERAI_API_URL. Both are directly relevant and proportionate for a remote API client. No unrelated secrets, system tokens, or config paths are requested.
Persistence & Privilege
The skill does not request 'always: true', does not modify other skills, and does not attempt to write to system-wide config beyond installing its own binary. Default autonomous invocation is allowed (platform default) and is not combined with other privilege escalations.
Assessment
This package appears internally consistent, but review the following before installing: (1) Privacy: any text you pass (including PII, student work, proprietary text, or secrets) will be sent to the external HumanizerAI API — avoid submitting sensitive content. (2) Trust & billing: the API key grants access to your account/credits and the humanize endpoint charges credits (1 credit = 1 word according to docs); keep keys secret and verify billing limits. (3) Ethics & legal: the tool explicitly aims to help bypass AI/plagiarism detectors; consider academic integrity and legal implications before use. (4) Source verification: the repository and npm package look consistent, but if you plan to install system-wide, verify the package on npm and the GitHub repo (signatures, recent activity, open issues) to ensure you’re running the official publisher’s release. (5) Least privilege: store the API key in a dedicated secret with minimal scope and rotate it if you stop using the service.dist/index.js:75
Environment variable access combined with network send.
dist/index.js:95
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk973d1j86ysz2477fzejs2h9j98302tw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
✍️ Clawdis
Binshumanizerai
EnvHUMANIZERAI_API_KEY, HUMANIZERAI_API_URL
Primary envHUMANIZERAI_API_KEY
Install
Node
Bins: humanizerai
npm i -g humanizerai