Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Clawmart Install
v1.2.3Search and install an OpenClaw configuration pack from ClawMart
⭐ 0· 113·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description and instructions are coherent: the skill searches a ClawMart API, downloads a pack, backs up conflicts, and writes files into ~/.openclaw/workspace and workspace/skills. However the declared API base (https://clawmart-gray.vercel.app) and missing source/homepage raise provenance questions — the host appears to be a third-party Vercel URL rather than a clearly identified official ClawMart domain.
Instruction Scope
Instructions stick to the installer's scope (read token config, query search endpoint, download pack JSON, back up and write files). A notable capability: remote pack contents are written directly into your workspace and skills directories (including SKILL.md files), which is expected for an installer but also means remote content can add executable skills to your agent. The skill does not instruct reading unrelated system paths or environment variables.
Install Mechanism
This is instruction-only with no install spec or external binary downloads, so nothing new is installed on disk by the installer itself prior to user approval.
Credentials
No environment variables or external credentials are requested, which is proportional. The skill does ask the user for a ClawMart API token and instructs saving it in plaintext at ~/.openclaw/clawmart-config.json — storing a bearer token locally is expected for this use but carries confidentiality risk; the token scope/permissions are not described.
Persistence & Privilege
always is false and the skill does not declare elevated platform privileges. It does write and overwrite files under ~/.openclaw/, and will install arbitrary skill files returned by the service; this is normal for a pack installer but increases the blast radius if the upstream source is untrusted.
What to consider before installing
This skill behaves like an installer: it will ask you for a ClawMart API token and then download JSON describing files to write into ~/.openclaw/workspace/ and workspace/skills/. Before proceeding: 1) Verify the ClawMart endpoint (https://clawmart-gray.vercel.app) is an official/trusted URL for the packs you expect; the skill's registry entry has no source or homepage. 2) Inspect search results and the downloaded pack JSON (files array and skills-manifest) before confirming installation — review every file the pack will write, especially any SKILL.md files, because installed skills can extend agent behavior. 3) Back up your ~/.openclaw/ workspace manually (the skill does create backups, but keep an external copy). 4) Consider creating a limited-scope token (if supported) or using a throwaway account when testing. 5) If you cannot verify the upstream service or inspect the pack contents safely, avoid providing your token and do not install the pack.Like a lobster shell, security has layers — review code before you run it.
clawmartvk977kam8hdyd412pm21qcj7gvn83r07zlatestvk9732n71shg1vz38121sctw3fs83w5nv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.