ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Edith Senso Ingest

v1.0.0

Ingest documents into your Senso.ai knowledge base through Edith smart glasses. Triggers when user wants to add content to their knowledge base.

0· 47·0 current·0 all-time
by@samdickson22
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (ingest content into Senso.ai) align with the instructions (POST to senso.ai content endpoint). However, the skill's runtime instructions require a SENSO_API_KEY while the registry metadata declares no required environment variables or primary credential — an inconsistency.
Instruction Scope
SKILL.md gives explicit, bounded instructions: read file contents when a file path is provided and POST text to the Senso API. This stays within the stated purpose. It does instruct the agent to use the exec tool to run curl and to store a user-provided API key into OpenClaw memory/config; both are reasonable for this use case but increase the attack surface (shell execution and secret storage).
Install Mechanism
Instruction-only skill with no install spec or code files — lowest install risk. No downloads or third-party packages are being added by the skill itself.
!
Credentials
SKILL.md clearly requires a SENSO_API_KEY and tells the user to store it as SENSO_API_KEY in OpenClaw's memory/config, but the skill metadata lists no required env vars or primary credential. Requesting an API key is proportionate for the functionality, but the manifest should declare it. Storing secrets in agent memory/config without clear statements about protection or lifecycle (encryption, deletion, scope) is a concern.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent system privileges. Autonomous invocation is allowed (platform default) but not combined with other high-risk indicators here.
What to consider before installing
This skill appears to do what it claims (POST your content to Senso.ai), but the manifest is missing a declared environment variable: SKILL.md requires a SENSO_API_KEY while the registry lists none. Before installing, ask the publisher to: (1) update the manifest to declare SENSO_API_KEY (and mark it as the primary credential), (2) explain how and where the API key will be stored and protected in OpenClaw (encryption, access controls, retention/deletion), and (3) confirm the endpoint domain (sdk.senso.ai) is official. Also consider: provide a scoped API key (minimal permissions), avoid pasting long-lived master keys into the agent until you confirm secure storage, and be cautious when giving file paths — the skill will read files you point it at and send them to the external service.

Like a lobster shell, security has layers — review code before you run it.

latestvk976ejx26k77vktcnqt7n7nmms83rxe4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments