ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Code Cache

v1.0.0

Semantic code caching for AI agents. Cache, retrieve, and reuse code from prior agent executions.

0· 682·0 current·0 all-time
by@ryx2
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, README, and code all describe a Raysurfer-backed semantic code cache. The only required environment variable is RAYSURFER_API_KEY which directly matches the documented remote API usage.
Instruction Scope
Instructions and CLI operations are scoped to searching, downloading, writing code files to a cache directory, uploading code snippets, and voting — all expected for a caching service. Note: uploads will transmit user code to the external Raysurfer service (explicitly documented). Retrieved snippets are written to disk for execution by the agent/runner, which is expected but is a privacy/safety consideration (see guidance).
Install Mechanism
No install spec is present (instruction-only from the registry point of view) and the repo contains Python CLI code. There are no remote downloads or opaque installers referenced in SKILL.md/README; the code expects a standard 'raysurfer' Python package if used locally.
Credentials
Only one credential is requested (RAYSURFER_API_KEY) which is proportionate to the described remote API usage. However, that key grants the skill network access to the external Raysurfer service and will be used to upload user code — any secrets inside code files could be transmitted.
Persistence & Privilege
always is false and the skill does not request persistent/system-wide privileges or modify other skills' configs. It writes cached files to a user-specified directory (default .code_cache), which is expected behavior.
Assessment
This skill appears coherent: it talks to the Raysurfer API using the single RAYSURFER_API_KEY you provide and implements search/fetch/upload/vote for code snippets. Before installing, consider: 1) Trust the third party (Raysurfer): uploaded code and metadata will be transmitted to their service. 2) Sensitive data risk: any secrets or credentials embedded in code you upload could be leaked — audit or sanitize files before upload. 3) Execution risk: the skill writes retrieved code to disk so your agent or sandbox may execute it — run in an isolated sandbox and review code before execution. 4) Key management: store the API key with least privilege and be prepared to revoke it if needed. If these tradeoffs are acceptable, the skill is internally consistent with its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk9745wqcg07rd2wa8z4d3srfys810qjx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏄 Clawdis
EnvRAYSURFER_API_KEY
Primary envRAYSURFER_API_KEY

Comments